UNCLASSIFIED

Microsoft Solutions for Security and Compliance

Windows Server 2003 Security Guide
April 26, 2006

UNCLASSIFIED

2

MSDN 2.0

UNCLASSIFIED © 2006 Microsoft Corporation. This work is licensed under the Creative Commons Attribution-Non Commercial License. To view a copy of this license, visit http://creativecommons.org/licenses/by-nc/2.5/ or send a letter to Creative Commons, 543 Howard Street, 5th Floor, San Francisco, California, 94105, USA.

UNCLASSIFIED

UNCLASSIFIED Table of Contents iv

Contents
Chapter 1: Introduction to the Windows Server 2003 Security Guide ............. 1 Overview..................................................................................................... 1 Executive Summary...................................................................................... 1 Who Should Read This Guide ......................................................................... 2 Scope of this Guide ...................................................................................... 2 Chapter Summaries ...................................................................................... 3 Chapter 1: Introduction to the Windows Server 2003 Security Guide............. 4 Chapter 2: Windows Server 2003 Hardening Mechanisms ............................ 4 Chapter 3: The Domain Policy .................................................................. 4 Chapter 4: The Member Server Baseline Policy ........................................... 4 Chapter 5: The Domain Controller Baseline Policy ....................................... 5 Chapter 6: The Infrastructure Server Role ................................................. 5 Chapter 7: The File Server Role ................................................................ 5 Chapter 8: The Print Server Role .............................................................. 5 Chapter 9: The Web Server Role............................................................... 5 Chapter 10: The IAS Server Role .............................................................. 6 Chapter 11: The Certificate Services Server Role ........................................ 6 Chapter 12: The Bastion Hosts Role .......................................................... 6 Chapter 13: Conclusion ........................................................................... 6 Appendix A: Security Tools and Formats .................................................... 7 Appendix B: Key Settings to Consider........................................................ 7 Appendix C: Security Template Setting Summary ....................................... 7 Appendix D: Testing the Windows Server 2003 Security Guide ..................... 7 Tools and Templates ............................................................................... 7 Skills and Readiness ..................................................................................... 8 Software Requirements ................................................................................. 8 Style Conventions ........................................................................................ 8 Summary .................................................................................................... 9 More Information.................................................................................... 9

Chapter 2: Windows Server 2003 Hardening Mechanisms ............................ 11 Overview....................................................................................................11 Hardening with the Security Configuration Wizard ...........................................11 Creating and Testing Policies ...................................................................12 Deploying Policies ..................................................................................13
UNCLASSIFIED

............................................................................27 Create the Baseline Policies Manually Using SCW ..........36 Account Policies ..................35 Domain Policy .....................................................................15 Active Directory and Group Policy .................................................................................30 Create the Role Policies Using SCW ....... GPO...37 Enforce password history ..........................................................................................................17 Delegating Administration and Applying Group Policy.............31 Convert the Role Policies to GPOs ...............38 UNCLASSIFIED ...................................................................................................................20 Successful GPO Application Events ......31 Test the Role Policies Using SCW ...............32 More Information.................................................. and Group Design......................................................................13 Convert the SCW Policy to a Group Policy Object...........35 Domain Policy Overview ...................................18 Group Policy Application......................................................................32 Summary ...............................................................................................................................................................................14 Active Directory Boundaries ...............................................28 Test the Baseline Policies Using SCW..........................................................25 Process Overview .......................................................................................17 Administrative Groups ..............................21 Sever Role Organizational Units .............................................. 35 Overview.......................................................................13 Apply the Policy with the Scwcmd Command-line Tool ........................................................................30 Convert the Baseline Policies to GPOs.................................................38 Maximum password age..............36 Password Policy Settings.........................................................................................................36 Password Policy...........19 Security Template Management ....................................................................................................26 Configure the Domain Policy.............................................................................................................................................................33 Chapter 3: The Domain Policy ......14 Hardening Servers with Active Directory Group Policy .......................................................................................................................................................................................................................................................................................25 Create the Active Directory Environment ...........................19 Time Configuration ..15 Administrative Boundaries .........................................................................21 OU..........................14 Security Boundaries...............................................................................................................................................26 Configure Time Synchronization.........UNCLASSIFIED Table of Contents v Apply the Policy with the SCW GUI .............................................

............................................42 Account lockout threshold ...........67 Act as part of the operating system................................................................................................................................................................................................................................................................................44 Security Options.........................................39 Minimum password length .............................................................................................52 Audit account logon events ............................................................................................................................................................................................................................................................................40 Store password using reversible encryption ..................................63 User Rights Assignments ......60 Audit privilege use .........................................................42 Account Lockout Policy Settings.........................44 Security Options Settings....................... 49 Overview.................................................................................................................47 Chapter 4: The Member Server Baseline Policy ....................45 Microsoft network server: Disconnect clients when logon hours expire ........................55 Audit logon events ......................................................................................................64 Access this computer from the network ....................................................................................56 Audit object access .....................................................................................62 Audit process tracking .....................58 Audit policy change .............................................................................................................................49 Windows Server 2003 Baseline Policy ..................................................................................................62 Audit system events...............43 Reset account lockout counter after.....45 Network Access: Allow anonymous SID/NAME translation.............................68 Allow log on locally ............................39 Password must meet complexity requirements......................................42 Account lockout duration.......68 Allow log on through Terminal Services ..............52 Audit Policy .................................................................68 .............41 Account Lockout Policy..46 More Information..........41 How to Prevent Users from Changing a Password Except When Required....................................................................................54 Audit account management.....................................44 Kerberos Policies ..................................................................................................................................45 Network Security: Force Logoff when Logon Hours expire...............................................................................................................................................................................................46 Summary ...............................................................................................................67 Adjust memory quotas for a process ......vi Windows Server 2003 Security Guide Minimum password age.......................................................................................................................................................................

......................................................................74 Remove computer from docking station..............................68 Change the system time ........................................76 Accounts: Limit local account use of blank passwords to console logon only .............................................73 Manage auditing and security log.............................................................................................................................68 Bypass traverse checking.........................................................................................................69 Create a pagefile .......................................73 Modify firmware environment values ..........................................................................................77 UNCLASSIFIED ....................70 Deny log on as a batch job..74 Restore files and directories ...............76 Accounts: Administrator account status ............71 Force shutdown from a remote system ................72 Increase scheduling priority ..............69 Create global objects.................................................69 Debug programs.....75 Shut down the system...................................................................71 Deny log on through Terminal Services....75 Synchronize directory service data.......................................................................................................................................74 Replace a process level token..................................................72 Lock pages in memory .............................................................................................................................................................................72 Impersonate a client after authentication..............................69 Create permanent shared objects ...........................................................................73 Perform volume maintenance tasks...............................................................................................................................................................................................................................................................................74 Profile system performance.................75 Take ownership of files or other objects.....................................69 Create a token object ...............................................UNCLASSIFIED Table of Contents vii Back up files and directories.........................................................................76 Accounts: Guest account status ...........................................................................70 Deny logon as a service....................................72 Generate security audits .......................................75 Accounts Settings ..............................71 Deny logon locally...........................................................................................................................................................................73 Log on as a service ......................................................................................................................................................70 Deny access to this computer from the network ............................................................................................72 Load and unload device drivers..75 Security Options........................................................71 Enable computer and user accounts to be trusted for delegation..74 Profile single process................................................................................................................................................

.................77 Audit: Audit the access of global system objects .......................................................86 ..................................................84 Interactive logon: Prompt user to change password before expiration..............................................................79 Domain Member Settings.....78 Devices: Prevent users from installing printer drivers .......................................83 Interactive logon: Number of previous logons to cache (in case domain controller is not available).............80 Domain member: Digitally encrypt secure channel data (when possible) .....................81 Domain member: Maximum machine account password age.........................81 Domain member: Disable machine account password changes.............................................81 Domain member: Require strong (Windows 2000 or later) session key.........................................................79 Devices: Restrict CD-ROM access to locally logged-on user only.......................................................85 Microsoft Network Client Settings ...............85 Microsoft network client: Digitally sign communications (if server agrees) ........84 Interactive logon: Smart card removal behavior.........................................84 Interactive logon: Require Domain Controller authentication to unlock workstation ...................................................................................................83 Interactive logon: Do not require CTRL+ALT+DEL ............................80 Domain member: Digitally sign secure channel data (when possible) ........................................................................................................................................81 Interactive Logon Settings ..................79 Devices: Unsigned driver installation behavior ............................................85 Microsoft network client: Digitally sign communications (always) ..............83 Interactive logon: Message title for users attempting to log on .................................................................................................................................................................................................................78 Devices: Allow undock without having to log on .....................................................................................................................................................................................................................................................77 Audit: Shut down system immediately if unable to log security audits ..........84 Interactive logon: Require smart card............................................................................................82 Interactive logon: Display user information when the session is locked........................................................82 Interactive logon: Do not display last user name.....................77 Audit: Audit the use of Backup and Restore privilege ......80 Domain member: Digitally encrypt or sign secure channel data (always)................................78 Devices Settings ...............79 Devices: Restrict floppy access to locally logged-on user only ....83 Interactive logon: Message text for users attempting to log on .....................................................78 Devices: Allowed to format and eject removable media............................viii Windows Server 2003 Security Guide Audit Settings ....................................................

...................91 Network access: Restrict anonymous access to Named Pipes and Shares ............................................................................................86 Microsoft network server: Amount of idle time required before suspending session.................................................94 Network security: Minimum session security for NTLM SSP based (including secure RPC) servers....................89 Network access: Do not allow storage of credentials or .................96 Shutdown: Allow system to be shut down without having to log on ........................................................87 Microsoft network server: Digitally sign communications (if client agrees) ......................94 Network security: Minimum session security for NTLM SSP based (including secure RPC) clients .................................................................................95 Recovery console: Allow automatic administrative logon ..............................................................................................89 Network access: Do not allow anonymous enumeration of SAM accounts and shares ..........................87 Network Access Settings............................................................86 Microsoft Network Server Settings .........................................................................................................................................................................................................................90 Network access: Let Everyone permissions apply to anonymous users ................................................................................92 Network security: Do not store LAN Manager hash value on next password change ........................................................................87 Microsoft network server: Disconnect clients when logon hours expire .............88 Network access: Allow anonymous SID/name translation .89 Network access: Do not allow anonymous enumeration of SAM accounts ..................................................................92 Network Security Settings........................................96 UNCLASSIFIED .................................................................................................................................................NET Passports for network authentication .........................................................................95 Recovery Console Settings ...................................................................90 Network access: Named Pipes that can be accessed anonymously......95 Recovery console: Allow floppy copy and access to all drives and all folders ................................................93 Network security: LDAP client signing requirements .................UNCLASSIFIED Table of Contents ix Microsoft network client: Send unencrypted password to thirdparty SMB servers ...............91 Network access: Remotely accessible registry paths and sub-paths ........96 Shutdown: Clear virtual memory page file..................................................................95 Shutdown Settings.......................................................................90 Network access: Remotely accessible registry paths ..........91 Network access: Shares that can be accessed anonymously ..................................86 Microsoft network server: Digitally sign communications (always) ..............92 Network access: Sharing and security model for local accounts ..............93 Network security: LAN Manager authentication level...

...............105 Make Screensaver Password Protection Immediate: The time in seconds before the screen saver grace period expires (0 recommended) ...............................................................................106 Security Log Near Capacity Warning: Percentage threshold for the security event log at which the system will generate a warning ................................................107 ..101 Prevent local guests group from accessing system log ...................................................................98 System Settings .........102 Retention method for security log ...............................................................................100 Maximum security log size ....................................................................99 System settings: Optional subsystems ................................................................101 Retention method for application log ........................................................................................................100 Maximum system log size .........................102 Additional Registry Entries.............................. and signing ..................101 Prevent local guests group from accessing application log .....................................................................102 Retention method for system log ............................................................................................................................102 Security Consideration for Network Attacks ......105 Disable Autorun: Disable Autorun for all drives ............................................................................................................................................................................99 System settings: Use Certificate Rules on Windows Executables for Software Restriction Policies ..... Symbolic Links) .........................g.................................103 Other Registry Entries .....x Windows Server 2003 Security Guide System Cryptography Settings ..................98 System objects: Require case insensitivity for non-Windows subsystems .99 Event Log...................98 System objects: Strengthen default permissions of internal system objects (e............. hashing...................................................................97 System Objects Settings.......3 File Names: Enable the computer to stop generating 8....................................................................................................................106 Automatic Reboot: Allow Windows to automatically restart after a system crash ..........104 Configure NetBIOS Name Release Security: Allow the computer to ignore NetBIOS name release requests except from WINS servers ...........105 Disable Auto Generation of 8........................106 Enable Safe DLL Search Order: Enable Safe DLL search mode (recommended) .......................................................................................................................................101 Prevent local guests group from accessing security log ......................................................................................................................................99 Maximum application log size .........................................98 System objects: Default owner for objects created by members of the Administrators group...............................3 style filenames ......97 System cryptography: Use FIPS compliant algorithms for encryption..........................................97 System cryptography: Force strong key protection for user keys stored on the computer.........................................

...................................................................................................................................................124 Shutdown the system.....................UNCLASSIFIED Table of Contents xi Automatic Logon: Enable Automatic Logon ..............................................108 Restricted Groups...............................................................................................114 Creating the Baseline Policy Using SCW ...................................................................................109 Additional Security Settings .................................................112 Terminal Services Settings ...........................108 Securing the File System.............................................................................................................................................................113 Enable Manual Memory Dumps ..............................................................................111 Securing Service Accounts..................................112 NTFS ...........................................................................125 UNCLASSIFIED ..............................113 Error Reporting.....................119 Audit Policy Settings ....................................................................................................................................................................................................................................................121 Access this computer from the network ....................107 Administrative Shares: Enable Administrative Shares ..............................................................................................................................................................120 Audit directory service access..................................121 Add workstations to domain .................................................................................116 Summary ...................................................................................................124 Restore files and directories ............................................115 Convert and Deploy the Policy .............................................110 Manual Hardening Procedures ..........................117 Chapter 5: The Domain Controller Baseline Policy .108 Enable IPSec to protect Kerberos RSVP Traffic: Enable NoDefaultExempt for IPSec Filtering .......................................................................................110 Securing Well-Known Accounts ..............................110 Manually Adding Unique Security Groups to User Rights Assignments ..........................122 Allow log on through Terminal Services ..............................................................................................124 Load and unload device drivers.................................................114 Test the Policy Using SCW .................................................................123 Change the system time ...................................122 Allow log on locally ............................................................107 Disable Saved Passwords: Prevent the dial-up password from being saved.......................................................116 More Information........................ 119 Overview.....123 Enable computer and user accounts to be trusted for delegation......119 Domain Controller Baseline Policy ............................................................................120 User Rights Assignment Settings .............................................................

........................137 More Information....125 Domain controller: LDAP server signing requirements ..........138 Chapter 6: The Infrastructure Server Role .....................................................133 Terminal Services Settings...............................................................................................................................140 .............................................128 Directory Services..................139 User Rights Assignment Settings .......................126 Network security: Do not store LAN Manager hash value on next password change ......135 Test the Policy Using SCW ........................................................................................137 Summary ..................................................131 Protecting DNS Servers..........................................................................................133 Securing Service Accounts ...................135 Creating the Policy Using SCW .........................125 Domain Controller Settings ..............................................................................................................139 Audit Policy Settings ...............................................................................................................................................................................................................................................................................................127 Restricted Groups........................... 139 Overview................................................140 Additional Security Settings ..............................136 Convert and Deploy the Policy ..................................129 Using Syskey .................133 Securing Well-Known Accounts ......................................................................................................................................................................................126 Domain controller: Refuse machine account password changes ...........................................131 Configuring Secure Dynamic Updates ......................................................................................................................................................................125 Domain controller: Allow server operators to schedule tasks...............................128 Manually Adding Unique Security Groups to User Rights Assignments........................................................126 Event Log Settings ...............................................................................129 Resizing Active Directory Log Files...........................................................................................................134 Error Reporting......................................................................126 Network Security Settings...................................................130 Active Directory-Integrated DNS.....................................................................................132 Resizing the Event Log and DNS Service Log .........................132 Limiting Zone Transfers to Authorized Systems .......................................127 Additional Security Settings ....................................140 Security Options............................xii Windows Server 2003 Security Guide Security Options..........................................................................129 Relocating Data – Active Directory Database and Log Files .......................140 Event Log Settings ......................................................

........................................................................................................................145 Chapter 7: The File Server Role.................................................148 Securing Well-Known Accounts ................153 Audit Policy Settings .....................................................................................................................143 Convert and Deploy the Policy ................................144 More Information........147 User Rights Assignments .............................................................................................................................155 Securing Well-Known Accounts .....157 UNCLASSIFIED .......156 Test the Policy Using SCW .......................................................................................................................155 Additional Security Settings ...................................154 Event Log Settings ................................................................................155 Creating the Policy Using SCW ...............................148 Securing Service Accounts ......................................................................................151 More Information..............................................................................................................151 Chapter 8: The Print Server Role..............................................................................................................................................151 Summary ............................................157 Convert and Deploy the Policy ..........................................................140 Protect Against DHCP Denial of Service Attacks ........................................149 Test the Policy Using SCW .....................142 Test the Policy Using SCW ............................................................................................................................................................................................................................................................147 Audit Policy Settings .....................................................................................................................................................150 Convert and Deploy the Policy .........................148 Security Options................................................................................UNCLASSIFIED Table of Contents xiii Configure DHCP Logging ........................................... 153 Overview....................................141 Securing Service Accounts .154 User Rights Assignments .......................148 Additional Security Settings ............................................................................................................................................................................................155 Securing Service Accounts ....................................142 Creating the Policy Using SCW .......................144 Summary ........149 Creating the Policy Using SCW ................................................................................................................................................................................154 Microsoft network server: Digitally sign communications (always)....................................................................................................................................................... 147 Overview........154 Security Options.................................................................................148 Event Log Settings .........................141 Securing Well-Known Accounts ..................................................

............................................................................180 Securing Service Accounts ..................................................................................171 Configuring IIS Logging ..............................................................................................................................................................................173 Securing Well-Known Accounts ............................................................................................180 Additional Security Settings ........................................................................183 .........................................................................................................................................................................158 More Information............................161 Security Options.....160 Audit Policy Settings ......... 179 Overview..............................................159 Anonymous Access and the SSLF Settings ........180 Event Log.....................xiv Windows Server 2003 Security Guide Summary ........................................................161 Event Log Settings ....................................................................................................................................................................179 Audit Policy .............................................................................170 Setting NTFS Permissions ............................................175 Test the Policy Using SCW ......................................................................161 Installing Only Necessary IIS Components .......................................181 Creating the Policy Using SCW ............171 Setting IIS Web Site Permissions ....................................................176 Convert and Deploy the Policy .........................................176 Summary ...................161 Additional Security Settings ...............................................................................................................................................................................................................169 Placing Content on a Dedicated Disk Volume ................182 Convert and Deploy the Policy ...........................................................172 Manually Adding Unique Security Groups to User Rights Assignments........179 User Rights Assignments ............................................................................................................................................................................177 Chapter 10: The IAS Server Role........................................................................................................................177 More Information........180 Security Options.................................180 Securing Well-Known Accounts ..............................................................181 Test the Policy Using SCW .................................................174 Securing Service Accounts .............................................. 159 Overview...................................................................................................................................158 Chapter 9: The Web Server Role ...................................................................175 Creating the Policy Using SCW ........................161 Enabling Only Essential Web Service Extensions .......................................................................................................................................................................................................161 User Rights Assignments .

.....194 Event Log Settings ........................................................... 185 Overview.........................188 Securing Well-Known Accounts .............................................185 Audit Policy Settings .............................................................................188 File System ACLs .....................196 Error Reporting............................................................................................................190 Test the Policy Using SCW .................................................................................................................199 UNCLASSIFIED .............................186 System cryptography: Use FIPS compliant algorithms for encryption......................................193 Audit Policy Settings ...........................................................................................................................................................................................................................186 User Rights Assignments ..............191 Convert and Deploy the Policy ..............................190 Creating the Policy Using SCW ...................................................................................... and signing ....195 Securing Well-Known Accounts .......................................194 User Rights Assignments .................................................................................197 Test the Policy Using SCW ..................196 Creating the Policy Using SCW .............................................................................................................................................................................................187 Additional Security Settings ...............................................................................184 Chapter 11: The Certificate Services Server Role .............................................................189 Securing Service Accounts .............................................187 Event Log Settings ........................................................................................................................194 Deny access to this computer from the network .........................................192 Chapter 12: The Bastion Host Role..........195 Additional Security Settings ..........................................................................................195 Manually Adding Unique Security Groups to User Rights Assignments......................................193 Bastion Host Local Policy .........................................198 Implement the Policy ......................................................................................................................................... 193 Overview...........194 Security Options..............................................................................198 Summary ............................................................................................183 More Information....................................................................................................................................187 Additional Registry Entries........................................................................................................................................................................192 More Information.192 Summary .................................................................................................. hashing..186 Security Options.......................................................................................................UNCLASSIFIED Table of Contents xv Summary .............................................

...........................................................204 Group Policy Management Console..203 Security Configuration Editor..................................................................................................................................................................................................................................................................................218 Documentation Build Tests .........211 Scope..........xvi Windows Server 2003 Security Guide More Information......................................................................................................................................................211 Test Objectives.......219 Pass and Fail Criteria................219 ................................................205 Appendix B: Key Settings to Consider ...........................................211 Test Environment ............................................................218 Client Side Tests ................................. 209 Appendix D: Testing the Windows Server 2003 Security Guide......................................................................................................................................................................................................................................219 Server Side Tests ........................205 Group Policy Objects .................................................................................................................................................................................................................... 203 Security Tools ........................................................................................................................................................204 SCW Policy (.............................................................................................................................204 Security File Formats ...................................................................................................202 Appendix A: Security Tools and Formats ..........xml) ...................................................................212 Testing Methodology...................... 201 More Information..........................................................................................219 Release Criteria ........203 Security Configuration Wizard .................203 Active Directory Users and Computers.......................................215 Security Configuration Build Phase ......215 Test Preparation Phase .......................................................................................................................................................................218 Types of Tests .................................................................. 211 Overview......................... 207 Appendix C: Security Template Setting Summary ........................................215 Test Execution Phase ......................inf) ............................................214 Phases in a Test Pass .............................204 Policy Template (............................................................................219 Script Tests ................199 Chapter 13: Conclusion .....

...............................................................221 Acknowledgments .................UNCLASSIFIED Table of Contents xvii Bug Classification...............................220 Summary .................................................................................................................................................... 223 UNCLASSIFIED .

.

UNCLASSIFIED .com/secguide. We look forward to hearing from you. Have an opinion? Let us know on the secguide's WebLog at http://blogs.technet.com. Or e-mail your feedback to the following address: secwish@microsoft.UNCLASSIFIED Feedback xix Feedback The Microsoft Solutions for Security and Compliance team would appreciate your thoughts about this and other security solutions.

.

and exposure analysis with regard to security informs you of the tradeoffs between security and usability that all computers are subject to in a networked UNCLASSIFIED . risk. Chapters 2 through 12 of this guide include step-by-step security prescriptions. This best practice information is described in detail in this guide. the Microsoft Windows XP Resource Kit. For example. When you evaluate security costs. an attack in which your organization’s Web site is brought down could cause a major loss of revenue or customer confidence. you are strongly advised to be serious about security issues. procedures. Threats and Countermeasures: Security Settings in Windows Server 2003 and Windows XP (available at http://go.microsoft. If an attack on the servers in your environment is severe enough. the Microsoft Windows 2000 Security Resource Kit. This guide is designed to provide you with the best information available to assess and counter security risks in your organization that are specific to Microsoft® Windows Server™ 2003 with Service Pack 1 (SP1). it could significantly damage the entire organization. refer to resources such as the Microsoft Windows Server 2003 Resource Kit. The companion guide. and recommendations to provide you with task lists that will help you achieve an elevated level of security for those computers that run Windows Server 2003 with SP1 in your organization. and Windows 2000 in a variety of environments to help establish the latest best practices to secure these servers and clients. The chapters in this guide provide detailed guidance about how to enhance security setting configurations and features in Windows Server 2003 with SP1 wherever possible to address threats that you have identified in your environment. If you want more in-depth discussion of the concepts behind this material. Vulnerability. support engineers. and Microsoft TechNet. consultants and network administrators who work in a Windows Server 2003 with SP1 environment. you should include the indirect costs that are associated with any attack in addition to the costs of lost IT functionality. often because they exclude substantial indirect costs. Executive Summary Whatever your environment. as well as customers and partners. provides a comprehensive overview of all of the major security settings that are present in Windows Server 2003 with SP1 and Windows XP with SP2. Many organizations underestimate the value of their information technology (IT) environment. This guide was created for systems engineers. Microsoft worked with consultants and systems engineers who have implemented Windows Server 2003. consultants. which could affect your organization’s profitability.UNCLASSIFIED Chapter 1: Introduction to the Windows Server 2003 Security Guide Overview Welcome to the Windows Server 2003 Security Guide. Windows® XP. This guide was reviewed and approved by Microsoft engineering teams.com/fwlink/?LinkId=15159).

microsoft. The guide then provides specific recommendations about how to harden computers that run Windows Server 2003 with SP1 in three distinct enterprise environments. Computers that run Windows 98 must have the Active Directory Client Extension (DSCLient) installed. much of it is appropriate for organizations of any size. The Legacy Client (LC) environment must support older operating systems such as Windows 98.com/kb/288358. . Who Should Read This Guide This guide is primarily intended for consultants. and what each prescribed server setting addresses in terms of client dependencies.com/fwlink/?LinkId=15159. systems architects. Business analysts and business decision makers (BDMs) with critical business objectives and requirements that depend on client support. This guide documents the major security countermeasures that are available in Windows Server 2003 with SP1. and interesting. You can also refer to the companion guide. The third environment is one in which concern about security is so great that significant loss of client functionality and manageability is considered an acceptable tradeoff to achieve the highest level of security. and the potential negative consequences (if any) of each countermeasure's implementation. These roles include the following common job descriptions: • • • • Architects and planners who drive the architecture efforts for the clients in their organizations. at http://go. More information is available in the Microsoft Knowledge Base article "How to install the Active Directory client extension" at http://support. Although this guide is targeted at the enterprise customer. informative.2 Windows Server 2003 Security Guide environment. Scope of this Guide This guide focuses on how to create and maintain a secure environment for computers that run Windows Server 2003 with SP1 in your organization. To get the most value out of the material.0. the vulnerabilities that they address. Every effort has been made to make this information well organized and easily accessible so that you can quickly find and determine which settings are suitable for the computers in your organization. security specialists. Threats and Countermeasures: Security Settings in Windows Server 2003 and Windows XP.microsoft. The team that produced this guide hopes that you will find the material covered in it useful. IT security specialists who are focused purely on how to provide security across the platforms within their organizations. The three environments are described as follows: • The Legacy Client (LC) environment consists of an Active Directory® directory service domain with member servers and domain controllers that run Windows Server 2003 and some client computers that run Microsoft Windows 98 and Windows NT® 4. you will need to read the entire guide. Consultants from both Microsoft Services and partners who need detailed resources of relevant and useful information for enterprise customers and partners. and IT professionals who plan application or infrastructure development and the deployment of Windows Server 2003. The Enterprise Client (EC) environment is one in which Windows 2000 is the earliest version of the Windows operating system in use. The guidance explains the different stages of how to secure the three environments that are defined in the guide. This third environment is known as the Specialized Security – Limited Functionality (SSLF) environment.

Chapter Summaries The Windows Server 2003 Security Guide consists of 13 chapters. and Specialized Security – Limited Functionality environments. The detailed information that is provided in the companion guide. client computers that are not secured by the SSLF policies could experience communication problems with client computers and servers that are secured by the SSLF policies. the Specialized Security – Limited Functionality settings are so restrictive that many applications may not function. If you need to combine roles for some of the servers in your environment. Also. Enterprise Client. UNCLASSIFIED . the servers’ performance may be affected. The countermeasures that are described and the tools that are provided assume that each server will have a single role. • Guidance about ways to harden computers in these three environments is provided for a group of distinct server roles. and the rest of the chapters document the procedures that are unique to each server role. and it will be more of a challenge to manage the servers. However. It is likely that you will need to make some changes to the security templates and the manual procedures that are documented within this guide so that all of your business applications continue to function as expected. Each chapter builds on the end-to-end solution process that is required to implement and secure Windows Server 2003 with SP1 in your environment. The first few chapters describe how to build a foundation that will allow you to harden the servers in your organization.Chapter 1: Introduction to the Windows Server 2003 Security Guide 3 • The Enterprise Client (EC) environment consists of an Active Directory domain with member servers and domain controllers that run Windows Server 2003 with SP1 and client computers that run Windows 2000 and Windows XP. but it is important that your organization test these settings in your own lab that accurately represents your production environment. The roles that are described in this guide include: • • • • • • • • Domain controllers Infrastructure servers File servers Print servers Internet Information Services (IIS) servers Internet Authentication Services (IAS) servers Certificate Services servers Bastion hosts The recommended settings in this guide were tested thoroughly in lab environments that simulated the previously described Legacy Client. you can customize the security templates that are included in the download that accompanies this guide to create the appropriate combination of services and security options. For this reason. provides the information that you need to assess each specific countermeasure and to decide which of them are appropriate for your organization's unique environment and business requirements. These settings were proven to work in the lab. See the Windows XP Security Guide for information about how to secure client computers with SSLF-compatible settings. The Specialized Security – Limited Functionality (SSLF) environment also consists of an Active Directory domain with member servers and domain controllers that run Windows Server 2003 with SP1 and clients that run Windows 2000 and Windows XP. Threats and Countermeasures: Security Settings in Windows Server 2003 and Windows XP.

These topics are discussed in the context of the three environments that are described in Chapter 1 to provide a vision of an ideal secure endstate environment. and the recommendations in this chapter were determined to provide greater security than the default operating system settings. Group Policy Objects (GPOs). administrative group design. and Specialized Security – Limited Functionality environments and the computers that run in them. Occasionally. This chapter concludes with a detailed examination of how this guide combines the best features of SCW and traditional GPO-based approaches to harden Windows Server 2003 with SP1. The recommendations in this chapter are designed to allow organizations to safely deploy setting configurations for both existing and new deployments of Windows Server 2003 with SP1.4 Windows Server 2003 Security Guide Chapter 1: Introduction to the Windows Server 2003 Security Guide This chapter introduces the Windows Server 2003 Security Guide and includes a brief overview of each chapter. a less restrictive setting is suggested than the one that is present in the default installation of Windows Server 2003 with SP1 to provide support for Legacy Client environments. Chapter 4: The Member Server Baseline Policy This chapter explains security template settings and additional countermeasures for the different server roles in the three environments that are described in Chapter 1. and domain policy. The default security configurations within Windows Server 2003 SP1 were researched and tested. The chapter focuses on how to establish a Member Server Baseline Policy (MSBP) for the server roles that are discussed later in the guide. and test security policies for Windows servers that serve in different roles. It explains how SCW provides an interactive framework to create. The next part of this chapter provides high-level descriptions of Active Directory design. manage. The chapter does not focus on any specific server role. but on the specific policies and settings that are useful for top-level domain policies. It also evaluates the capabilities of SCW within the context of the three environments that are described in Chapter 1. Chapter 2: Windows Server 2003 Hardening Mechanisms This chapter provides an overview of the main mechanisms that are used to harden Windows Server 2003 SP1 in this guide—the Security Configuration Wizard (SCW) and Active Directory Group Policy. Enterprise Client. organizational unit (OU) design. Chapter 3: The Domain Policy This chapter explains security template settings and additional countermeasures for the domain-level policies in the three environments that are described in Chapter 1. . It describes the Legacy Client.

The most essential services for file servers require use of Windows NetBIOS-related protocols and the SMB and CIFS protocols. Chapter 6: The Infrastructure Server Role In this chapter. By default. Because of this threat. the most essential services for print servers require use of Windows NetBIOS-related protocols and the SMB and CIFS protocols. Chapter 7: The File Server Role This chapter focuses on the File server role and the difficult aspects of how to harden such servers. and a central lightweight directory access protocol (LDAP) directory. the infrastructure server role is defined as either a DHCP server or a WINS server. As stated earlier. which allows domain controllers to run the DNS service and answer DNS requests for clients in the Active Directory domain. Any loss or compromise of a domain controller could seriously affect client computers. This chapter assumes that the domain controller will also provide DNS service and provides the appropriate guidance. The hazards of domain controllers in unsecured locations such as branch offices are addressed.Chapter 1: Introduction to the Windows Server 2003 Security Guide 5 Chapter 5: The Domain Controller Baseline Policy The domain controller server role is one of the most important roles to secure in any Active Directory environment with computers that run Windows Server 2003 with SP1. This chapter describes the need to always store domain controllers in physically secure locations that are accessible only to qualified administrative staff. properly configured DNS service. servers. which is included in the domain controller role. This chapter describes how file servers that run Windows Server 2003 with SP1 can benefit from security settings that are not applied by the MSBP. This chapter describes how Windows Server 2003 with SP1 print server security settings can be strengthened in ways that are not applied by the MSBP. Web sites and UNCLASSIFIED . This chapter does not include configuration information for the DNS service. Windows Server 2003 with SP1 integrates DNS zones into Active Directory. Chapter 8: The Print Server Role This chapter focuses on print servers. Active Directory domain controllers require a stable. Like file servers. these protocols are often disabled in high-security environments. The Server Message Block (SMB) and Common Internet File System (CIFS) protocols are typically used to provide access for authenticated users. but when improperly secured they can also disclose rich information to unauthenticated users or attackers. Details are provided about how the Windows Server 2003 with SP1 infrastructure servers in your environment can benefit from security settings that are not applied by the Member Server Baseline Policy (MSBP). Chapter 9: The Web Server Role This chapter describes how comprehensive security for Web sites and applications requires an entire IIS server (including each Web site and application that runs on the IIS server) to be protected from client computers in its environment. and a significant portion of the chapter is devoted to an explanation of the security considerations that are the basis for the recommended Domain Controller Group Policy. and applications that rely on domain controllers for authentication. these protocols are often disabled in high-security environments. Group Policy.

FTP. IIS is not installed on members of the Microsoft Windows Server System™ family by default. Chapter 12: The Bastion Hosts Role Bastion host servers are accessible to client computers from the Internet. Many organizations do not extend their domain infrastructure to the Internet. When IIS is initially installed. Chapter 10: The IAS Server Role Internet Authentication Servers (IAS) provide Remote Authentication Dial-In User Services (RADIUS). This chapter describes ways in which IAS servers that run Windows Server 2003 with SP1 can benefit from security settings that are not applied by the MSBP. ASP. This chapter focuses on IIS Web protocols and applications. and does not include guidance on the other protocols that IIS can provide. For example. and Microsoft FrontPage® Server Extensions must be enabled by the administrator through the Web Service Extensions node in Internet Information Services Manager (IIS Manager). Details are provided about ways in which bastion hosts that run Windows Server 2003 with SP1 can benefit from the security recommendations in this guide for computers that are not members of an Active Directory–based domain. the default settings only allow IIS to serve static content.NET. Chapter 13: Conclusion The concluding chapter of this guide reviews the important points of the material that was presented in the previous chapters. detect. For this reason. Features such as Active Server Pages (ASP). Server-Side Includes. it is explained how these publicly exposed computers are susceptible to attack from a large number of users who can remain completely anonymous if they wish. Sections in this chapter provide details about a variety of settings you can use to harden the IIS servers in your environment. and NNTP. Practices to ensure that these measures are achieved by the IIS servers that run Windows Server 2003 with SP1 in your environment are described in detail in this chapter. it is in a highly secure "locked" mode. Chapter 11: The Certificate Services Server Role Certificate Services provide the cryptographic and certificate management services that are needed to build a public key infrastructure (PKI) in your server environment. this chapter content focuses on how to harden stand-alone computers. In this chapter. WebDAV publishing. The need to monitor.6 Windows Server 2003 Security Guide applications also must be protected from other Web sites and applications that run on the same IIS server. and respond to security issues is emphasized to ensure that the servers stay secure. such as SMTP. such as HTTP. This chapter describes ways in which Certificate Services servers that run Windows Server 2003 with SP1 will benefit from security settings that are not applied by the MSBP. a standards-based authentication protocol that is designed to verify the identity of clients who access networks remotely. .

scripts. "Windows Server 2003 Hardening Mechanisms. Appendix D: Testing the Windows Server 2003 Security Guide This guide provides a significant amount of information about how to harden servers that run Windows Server 2003 with SP1. Appendix C: Security Template Setting Summary This appendix introduces the Microsoft Excel® workbook "Windows Server 2003 Security Guide Settings. These procedures are detailed in Chapter 2. but the reader is constantly cautioned to test and validate all settings before they implement any settings in a production environment." The scripts that are included with this guide include scripts to create and link Group Policy objects as well as test scripts that are used to test the recommended countermeasures.microsoft. there are a variety of other tools and file formats that can be used to augment or replace this methodology. usable form of all of the recommended settings for the three environments that are defined in this guide. This appendix provides guidance about how to create a suitable test lab environment that can be used to help ensure successful implementation of the recommended settings in a production environment. It helps users to perform necessary validation and minimizes the amount of resources that are needed to do so. Appendix B: Key Settings to Consider This guide discusses many security countermeasures and security settings." which is included with the tools and templates in the downloadable version of this guide at http://go. The security templates are text files that can be imported into domain–based Group Policies or applied locally with the Microsoft Management Console (MMC) Security Configuration and Analysis snap-in. Tools and Templates A collection of security templates. This spreadsheet provides a comprehensive master reference in a compact. This appendix provides a short list of these tools and formats. Also included is the Excel workbook that summarizes the security template settings (referenced in the earlier "Appendix C" section). and implement the recommended countermeasures. test.Chapter 1: Introduction to the Windows Server 2003 Security Guide 7 Appendix A: Security Tools and Formats Although this guide focuses on how to use SCW to create policies which are then converted to security templates and Group Policy objects.com/fwlink/?LinkId=14846. UNCLASSIFIED . This appendix discusses the settings that will have the biggest impact on security of computers that run Windows Server 2003 with SP1. but it is important to understand a small number of them are particularly important. and additional tools are included with the downloadable version of this guide to help your organization to evaluate.

msi file within the self-extracting WinZip archive that contains this guide. Experience in the deployment of applications and workstation computers in enterprise environments. deploy.com/fwlink/?LinkId=14846." • Skills and Readiness IT professionals who develop. including commands. Experience in the administration of Group Policy. which is available on the Microsoft Download Center at http://go. \Windows Server 2003 Security Guide Tools and Templates\Test Tools. Gpupdate.msi file. Table 1.1 Style Conventions Element Bold font Meaning Signifies characters typed exactly as shown. Secedit. including the Microsoft Management Console (MMC). In-depth knowledge of organizational domain and Active Directory environments. Italic font . and Gpresult. and file names. Windows Server 2003 Enterprise Edition with SP1. A Windows Server 2003–based Active Directory domain. Software Requirements The software requirements for the tools and templates that are documented in this guide are: • • • Windows Server 2003 Standard Edition with SP1. User interface elements also appear in bold. and secure installations of Windows Server 2003 and Windows XP in an enterprise environment require the following knowledge and skills: • • • • • MCSE 2000 or 2003 certification with more than two years of security-related experience.microsoft. switches. These files are included in a . This folder contains all security templates that are discussed in the guide. Microsoft Excel 2000 or later. Titles of books and other substantial publications appear in italic. Style Conventions This guide uses the following style conventions and terminology. or Windows Server 2003 Datacenter Edition with SP1.8 Windows Server 2003 Security Guide The files that accompany this guide are collectively referred to as tools and templates. This folder contains various files and tools that relate to "Appendix D: Testing the Windows Server 2003 Security Guide. When you execute the . Use of management tools. the following folder structure will be created in the location you specify: • \Windows Server 2003 Security Guide Tools and Templates\Security Templates.

• UNCLASSIFIED . see the Microsoft Operations Framework page at www.microsoft.microsoft.com/mscorp/twc/default.microsoft.Chapter 1: Introduction to the Windows Server 2003 Security Guide 9 Element <Italic> Monospace font Note Important Meaning Placeholders set in italic and angle brackets <file name> represent variables. Alerts the reader to essential supplementary information. Defines code and script samples.mspx. • • For more information about security at Microsoft. Summary This chapter provided an overview of the primary factors that are involved to secure computers that run Windows Server 2003 with SP1.aspx. Alerts the reader to supplementary information.com/technet/itsolutions/cits/mo/mof/default. Now that you understand how this guide is organized. see the Trustworthy Computing page at www. you can decide whether to read it from beginning to end or select only those sections that interest you. Microsoft recommends that you read the entire guide to take full advantage of all the information it contains to secure computers that run Windows Server 2003 with SP1 in your organization. However. For information about Microsoft security notifications.com/technet/security/current. For this reason. For more details about how MOF can assist in your enterprise. which are considered and discussed in greater detail in the rest of the guide. More Information The following links provide additional information about topics that relate to security and Windows Server 2003 with SP1.mspx. it is important to remember that effective and successful security operations require improvements in all of the areas that are discussed in this guide. see the Microsoft Security Bulletin Search page at www. not just a few.

.

UNCLASSIFIED

Chapter 2: Windows Server 2003 Hardening Mechanisms
Overview
This chapter introduces the mechanisms that can be used to implement security settings on Microsoft® Windows Server™ 2003. Service Pack 1 (SP1) of Windows Server 2003 provides the Security Configuration Wizard (SCW), a new role-based tool you can use to make your servers more secure. When used in conjunction with Group Policy objects (GPOs), SCW allows greater control, flexibility, and consistency in the hardening process. This chapter focuses on the following topics: • • • • How SCW is used to create, test, and deploy role-based hardening policies. How the Active Directory® directory service facilitates consistent enterprise hardening through the use of GPOs. How the Active Directory domain design, the organizational unit (OU) design, Group Policy design, and administrative group design affect security deployments. How to use both SCW and Group Policy to create a manageable, role-based approach to harden servers that run Windows Server 2003 with SP1.

This information provides a foundation and a vision that you can use to evolve from a Legacy Client (LC) environment to a Specialized Security – Limited Functionality (SSLF) environment within a domain infrastructure.

Hardening with the Security Configuration Wizard
The purpose of SCW is to provide a flexible, step-by-step process to reduce the attack surface on servers that run Windows Server 2003 with SP1. SCW is actually a collection of tools that is combined with an XML rules database. Its purpose is to help administrators quickly and accurately determine the minimum functionality that is required for the roles that specific servers must fulfill. With SCW, administrators can author, test, troubleshoot, and deploy security policies that disable all non-essential functionality. It also provides the ability to roll back security policies. SCW provides native support for security policy management on single servers as well as groups of servers that share related functionality. SCW is a comprehensive tool that can help you accomplish the following tasks: • • Determine which services must be active, which services need to run when required, and which services can be disabled. Manage network port filtering in combination with Windows Firewall.

UNCLASSIFIED

12

Windows Server 2003 Security Guide

• •

Control which IIS Web extensions are allowed for Web servers. Reduce protocol exposure to the server message block (SMB)-based protocols, NetBIOS, Common Internet File System (CIFS), and Lightweight Directory Access Protocol (LDAP). Create useful Audit policies that capture the events of interest.

Detailed instructions about how to install, use, and troubleshoot SCW are available in a downloadable version of the Security Configuration Wizard Documentation at www.microsoft.com/downloads/details.aspx?FamilyID=903fd496-9eb9-4a45-aa003f2f20fd6171&displaylang=en.
Note: SCW can only be used with Windows Server 2003 with SP1. It cannot be used to create policies for Windows 2000 Server, Windows XP, or Windows Small Business Server 2003. To harden significant numbers of computers that run these operating systems, you will need to take advantage of the Group Policy–based hardening mechanisms described later in this chapter.

Creating and Testing Policies
You can use SCW to rapidly create and test security policies for multiple servers or groups of servers from a single computer. This capability allows you to manage policies throughout the enterprise from a single location. These policies provide consistent, supported hardening measures that are appropriate for the functions that each server provides within the organization. If you use SCW to create and test policies, you should deploy SCW to all targeted servers. Although you create the policy on a management station, SCW will attempt to communicate with the target servers to inspect their configuration and fine-tune the resulting policy. SCW is integrated with the IPsec and Windows Firewall subsystems and will modify those settings accordingly. Unless prevented, SCW will configure the Windows Firewall to permit inbound network traffic to important ports that are required by the operating system as well as listening applications. If additional port filters are required, SCW can create them. As a result, policies that are created by SCW address the need for custom scripts to set or modify IPsec filters to block unwanted traffic. This capability simplifies the management of network hardening. The configuration of network filters for services that make use of RPC or dynamic ports can also be simplified. SCW also provides the capability to significantly customize the policies that you create. This flexibility helps you create a configuration that permits necessary functionality but also helps to reduce security risks. In addition to the baseline behaviors and settings, you can override SCW in the following areas: • • • • • • Services Network ports Windows Firewall-approved applications Registry settings IIS settings Inclusion of pre-existing security templates (.inf files)

SCW advises the administrator about some of the most important registry settings. To reduce the complexity of the tool, the designers chose to only include those settings that have the greatest impacts on security. However, this guide discusses many more registry settings. To overcome the limitations of SCW, you can combine security templates with the results of SCW to create a more complete configuration. When you use SCW to create a new policy, it uses the current configuration of a server as an initial configuration. Therefore, you should target a server of the same type as the

Chapter 2: Windows Server 2003 Hardening Mechanisms

13

servers on which you intend to deploy the policy so that you can accurately describe the configuration of the server's roles. When you use the SCW graphical user interface (GUI) to create a new policy, it creates an XML file and saves it in the %systemdir%\security\msscw\Policies folder by default. After you create your policies, you can use either the SCW GUI or the Scwcmd command-line tool to apply the policies to your test servers. When you test the policies, you may need to remove a policy that you deployed. You can use either the GUI or the command-line tool to roll back the last policy you applied to a server or group of servers. SCW saves the previous configuration settings in XML files. For organizations that have limited resources to design and test security configurations, SCW may be sufficient. Those organizations that lack such resources should not even attempt to harden servers, because such efforts often result in unexpected problems and lost productivity. If your organization does not have the expertise and time available to deal with these types of issues, then you should focus on other important security activities such as application and operating system upgrades to current versions and update management.

Deploying Policies
There are three different options you can use to deploy your policies: • • • Apply the policy with the SCW GUI Apply the policy with the Scwcmd command-line tool Convert the SCW policy to a Group Policy object and link it to a domain or OU

Each option has its own advantages and drawbacks, which are described in the following subsections.

Apply the Policy with the SCW GUI
The main advantage of the SCW GUI option is simplicity. The GUI permits administrators to easily select a predefined policy and apply it to a single computer. The disadvantage of the SCW GUI option is that it only permits application of policies to a single computer at a time. This option does not scale for large environments, and this guide does not use this method.

Apply the Policy with the Scwcmd Command-line Tool
One way to apply native SCW policies to multiple computers without Active Directory is to use the Scwcmd tool. You can also combine the use of Scwcmd with scripting technologies to provide a degree of automated policy deployment, perhaps as part of an existing process that is used to build and deploy servers. The main disadvantage of the Scwcmd option is that it is not automatic. You have to specify the policy and target server, either manually or through some scripting solution, which means there are multiple chances to push the wrong policy to the wrong computer. If you have servers in a group with slightly different configurations, you will need to craft a separate policy for each of those computers and apply them separately. Because of these limitations, this guide does not use this method.

UNCLASSIFIED

14

Windows Server 2003 Security Guide

Convert the SCW Policy to a Group Policy Object
The third option for SCW policy deployment is to use the Scwcmd tool to convert the XML-based policy into a Group Policy object (GPO). Although at first this conversion might seem to be an unnecessary step, its advantages include the following: • • Policies are replicated, deployed, and applied with familiar Active Directory–based mechanisms. Because they are native GPOs, policies can be used with OUs, policy inheritance, and incremental policies to fine-tune the hardening of servers that are configured similarly but not exactly the same as other servers. With Group Policy, you put these servers in a child OU and apply an incremental policy, whereas with SCW you would need to create a new policy for each unique configuration. Policies are automatically applied to all servers that are placed in the corresponding OUs. Native SCW policies must be either manually applied or used in conjunction with some custom scripting solution.

Hardening Servers with Active Directory Group Policy
Active Directory enables applications to find, use, and manage directory resources in a distributed computing environment. Although detailed information about how to design an Active Directory infrastructure could fill an entire book, this section briefly discusses these concepts to establish a context for the rest of the guide. This design information is necessary to provide insight into the use of Group Policy to securely administer your organization's domains, domain controllers, and specific server roles. If your organization already has an Active Directory design, this chapter may provide insight into some of its security benefits or potential issues. This guide does not offer any specific guidance about how to secure the Active Directory database. For such guidance, see the "Best Practice Guide for Securing Active Directory Installations" at www.microsoft.com/downloads/details.aspx?FamilyID=4e734065-3f18488a-be1e-f03390ec5f91&. When you create an Active Directory infrastructure, you must carefully consider the environment's security boundaries. If you adequately plan an organization's security delegation and implementation schedule, the result will be a more secure Active Directory design for the organization. You should only need to restructure the design for major changes to the environment, such as an acquisition or reorganization.

Active Directory Boundaries
There are several different types of boundaries within Active Directory. These boundaries define the forest, the domain, the site topology, and permission delegation, and they are automatically established when you install Active Directory. However, you must ensure that permission boundaries incorporate organizational requirements and policies. Administrative permissions delegation can be quite flexible to accommodate different organizations' requirements. For example, to maintain a proper balance between security and administrative functionality, you can divide the permission delegation boundaries between security boundaries and administrative boundaries.

this guidance recommends that you consider the following types of administrators. In addition to administrators who may perform unique services for your organization. This level of separation can only be achieved at the forest level. Although you can assign permissions to an OU. Your organization may need to consider divided administrative control of services and data within the current Active Directory design. deployment. service administrators maintain domain controller servers. It is difficult to balance the tradeoffs between adequate security (based on how the organization’s business boundaries are established) and the need to maintain a consistent level of base functionality. Unfortunately. you must define the different administration levels that are required. Still. a domain boundary will provide autonomous management of services and data within each domain of the organization. and ensure service availability. for example. not a security boundary. Service Administrators Active Directory service administrators are responsible for the configuration and delivery of the directory service. UNCLASSIFIED . This guide recommends that you create separate forests to keep your environment secure from potential compromise by administrators of other domains. isolation is not so simple to achieve. The forest is the true security boundary of your network environment. will not completely isolate an attack from a rogue domain administrator. OUs are not a true security boundary. you must weigh the threats to your organization against the security implications of delegated administration permissions and other choices that involve your environment's network architecture. Like domains. all OUs in the same domain authenticate resources against the domain and forest resources. A domain is a management boundary of Active Directory. with regard to security. Effective Active Directory design requires that you completely understand your organization's requirements for service autonomy and isolation as well as for data autonomy and isolation. To successfully achieve this balance. Administrative Boundaries Because of the potential need to segment services and data. control directory-wide configuration settings. A domain. a well-designed OU hierarchy will aid the development. This approach also helps ensure that the compromise of one forest does not automatically lead to the compromise of the entire enterprise. and management of effective security measures. Within the domain. You should consider the Active Directory administrators in your organization to be your service administrators. With an organization of well-intentioned individuals. the organizational unit (OU) provides another level of management boundary.Chapter 2: Windows Server 2003 Hardening Mechanisms 15 Security Boundaries Security boundaries help define the autonomy or isolation of different groups within an organization. For example. OUs provide a flexible way to group related resources and delegate management access to the appropriate personnel without providing them the ability to manage the entire domain.

service administrators in Active Directory are also data administrators. The forest administrator chooses the group to administer each domain. • Groups of administrators who manage infrastructure servers. the group that handles domain management will manage the DNS infrastructure because Active Directory is integrated with DNS and is stored and managed on the domain controllers. • Groups of administrators who manage OUs. These administrators have no control over the configuration or delivery of the directory service. Manage member computers in the directory and the data that is on those computers. Some of the data administrators' daily tasks include: • Control a subset of objects in the directory. Data administrators are members of a security group that is created by your organization. These attribute values correspond to settings for their respective objects. which are stored in the directory. Your organizational needs may require you to consider other service administrator groups for your Active Directory service design. The DNS administrator group completes the DNS design and manages the DNS infrastructure. Because of the high-level access that is granted to the administrator for each domain. Through inheritable attribute-level access control. and potentially the DNS infrastructure. The DNS administrator manages the DNS infrastructure through the DNS Administrators group. These groups can control how administration is delegated. The domain administrators control the domains through the Domain Administrators group and other built-in groups. these administrators should be highly trusted individuals. OU administrators can also create new subtrees and delegate administration of the OUs for which they are responsible. Consequently. data administrators can be granted control of very specific sections of the directory but no control over the configuration of the service itself. The OU administrator designates a group or individual as a manager for each OU. Each OU administrator manages the data that is stored within the assigned Active Directory OU. • Note: In many cases. In some cases. attribute values for objects that are stored in the directory determine the directory's service configuration. Some examples include: • A domain administration group that is primarily responsible for directory services.16 Windows Server 2003 Security Guide The Active Directory service configuration is often determined by attribute values. organizations can develop their own security group naming standards and meanings to best fit their environment. Therefore. Data Administrators Active Directory data administrators manage data that is stored in Active Directory or on computers that are joined to Active Directory. • Groups of administrators who manage DNS. Sometimes the default security groups in Windows do not make sense for all situations in the organization. DHCP. . and how policy is applied to objects within their OUs. The group that is responsible for infrastructure server administration manages WINS.

although they are usually used to hold objects of one specific type. These containers can hold any security principal in the domain. disk editor. With the stolen SID added to the user's SID History. Reasonably believe that service administrators will follow best practices and restrict physical access to the domain controllers. they also provide an effective way to segment administrative boundaries. You can use an OU to provide role-based administrative capabilities. and other security principals. However. You can also create an OU to UNCLASSIFIED . Delegating Administration and Applying Group Policy OUs are containers within the directory structure of a domain. The use of OUs to manage and assign security policies based on server role is an integral piece of the overall security architecture for the organization. Additionally. Coerced administrators. users. Understand and accept the risks to the organization that include the possibility for: • Rogue administrators. The rogue administrator could then use an application programming interface (API) tool. OUs provide a crucial structure for the deployment of Group Policy objects (GPOs) because they can segment resources by security need and allow you to provide different security to different OUs.Chapter 2: Windows Server 2003 Hardening Mechanisms 17 To summarize. Trusted administrators might become rogue administrators and abuse the privileges they have on the network. one group of administrators could be responsible for the user and group OUs while another group could manage the OUs that contain the servers. enterprise security programs must develop standard policies and procedures that perform appropriate background checks for the administrators. before the owners of Active Directory service and directory structures are allowed to join a forest or domain infrastructure. Such organizations might determine that the collaborative and cost-saving benefit of participating in a shared infrastructure outweighs this risk. groups. To grant or revoke OU access permissions to a group or individual user. the rogue administrator would have administrative privileges in the stolen SID's domain as well as their own domain. A user or administrator may use social engineering techniques or threats of physical or other harm on legitimate administrators of a computer to obtain the information that is needed to gain access to the computer. A trusted administrator might be coerced or compelled to perform operations that breach the security of a computer or the network. Active Directory and Group Policy Although OUs offer an easy way to group computers. or debugger to add the stolen SID to the SID History list of an account within their own domain. the organization must trust all service administrators in the forest and all domains. • • • Some organizations might accept the risk of a security breach by a rogue or a coerced service administrator from another part of the organization. to trust service administrators means to: • Reasonably believe that service administrators will primarily concern themselves with the organization's best interests. other organizations might not accept the risk because the potential consequences of a security breach are too severe. A rogue administrator within a forest could easily look up the security identifier (SID) for another administrator from another domain. Also. you can set specific access control lists (ACLs) on the OU and the permissions will be inherited by all of the objects within the OU. Organizations should not elect to join a forest or domain if the owners of that forest or domain might have legitimate reasons to act maliciously against the organization. In the context of this security guide. For example.

The following illustration provides a high-level view of such an OU configuration. consider the infrastructure servers that reside in a domain. You can use an OU to easily provide administrative capabilities to these servers. For example. For more complex organizations. . see the "More Information" section at the end of this chapter. Note: Because Active Directory depends so heavily on DNS. Figure 2. This approach provides the delegated group with autonomous control over a particular OU but does not isolate them from the remainder of the domain. Oftentimes an operations group or an infrastructure administration group maintains these servers. At a lower level of authority. security groups. including servers that provide WINS and DHCP services. The examples in this guide follow this practice. This approach is only one way that OUs can be used to provide administrative segmentation. Domain controllers are placed in the built-in Domain Controllers OU by default. it is common practice to run the DNS service on domain controllers.1 OU delegation of administration When the Infrastructure Admin group is delegated control of the Infrastructure OU. This capability allows members of the group to secure the server roles with Group Policy. Administrators that delegate control over specific OUs are likely to be service administrators. Administrative Groups Administrators can create administrative groups to segment clusters of users. users that control the OUs are usually data administrators. or servers into containers for autonomous administration. so the infrastructure server role does not include the DNS service.18 Windows Server 2003 Security Guide contain a group of resource servers to be administered by other users through a process called delegation of control. the members of this group will have full control of the Infrastructure OU and all servers and objects within the OU. Infrastructure servers include all of the non-domain controllers that run basic network services.

The final GPO to be applied is at the child OU level that contains the server object. the last one that is applied will take precedence. the name of this option is Enforced. GPOs that exist at the highest level OU are applied first. When you use Group Policy instead of manual steps. You should ensure computer time is accurate and that all servers in your organization use the same time source. and behavior to all servers within an OU. especially authentication. • Time Configuration Many security services. If multiple policies specify the same option. Figure 2. it is simple to update multiple servers with any additional changes that might be required. any GPOs are applied at the site level. You must configure a Group Policy with the No Override option if you do not want other GPOs to override it. Group Policies are accumulated and applied in the order that is shown in the following illustration. The Windows Server 2003 W32Time UNCLASSIFIED . If you use the Group Policy Management Console (GPMC) to manage your GPOs. After that. policies are applied first at the local policy level of the computer. Remember the following basic considerations when you apply Group Policy: • You must set the GPO application order for Group Policy levels with multiple GPOs. and then at the domain level.Chapter 2: Windows Server 2003 Hardening Mechanisms 19 Group Policy Application Use Group Policy and delegate administration to apply specific settings. The order of precedence for processing Group Policy extends from the highest OU (farthest from the user or computer account) to the lowest OU (the one that actually contains the user or computer account). rights. If the server is nested in several OUs. rely on an accurate computer clock to perform their jobs.2 GPO application hierarchy As seen in the illustration. The GPO application process continues down the OU hierarchy.

it is very important to store security templates for a production environment in a secure location that only administrators who implement Group Policy can access. . The external server could be compromised or spoofed by an attacker to maliciously manipulate the clocks on your computers. a number of Windows Server family components rely on accurate and synchronized time. All domain controllers in a domain synchronize their time with the PDC emulator operations master in their domain as their inbound time partner. Also. Before you synchronize with an external server. you risk configuring your servers with the incorrect time. Note that NTP synchronization uses UDP port 123 traffic. All PDC operation masters in other domains in the forest follow the hierarchy of domains when they select a PDC emulator with which to synchronize their time. This synchronization is necessary for the Kerberos protocol and other authentication protocols to work properly. such as a reliable NTP source or a highly accurate clock on your network. Another important benefit that time synchronization provides is event correlation on all of the clients in your enterprise. Security Template Management Security templates are text–based files that you can use to apply a security configuration to a computer.20 Windows Server 2003 Security Guide service provides time synchronization for Windows Server 2003 and Microsoft Windows XP–based computers that run in an Active Directory domain. All member servers and client desktop computers use the authenticating domain controller as their inbound time partner. the Kerberos authentication protocol might deny access to users. The purpose is not to prevent *. The W32Time service synchronizes the clocks of Windows Server 2003–based computers with the domain controllers in a domain. Therefore. the Kerberos authentication protocol requires synchronized computer clocks. To function correctly. You can modify security templates with the Microsoft Management Console (MMC) Security Templates snap-in or with a text editor such as Notepad. You can find more information about how to edit security templates and SDDL on the "Security Descriptor Definition Language" page on Microsoft MSDN® at http://msdn. but rather to prevent unauthorized changes to the source security templates. if you synchronize with an external server that you do not control. By default. To ensure that the time is accurate. The W32Time service uses the Network Time Protocol (NTP) to synchronize clocks on computers that run Windows Server 2003.asp. If the clocks are not synchronized on the clients. Some sections of the template files contain specific ACLs that are written in the Security Descriptor Definition Language (SDDL). time is synchronized by default in the following manner: • • • • The primary domain controller (PDC) emulator operations master in the forest root domain is the authoritative time source for the organization. Synchronized clocks on the clients in your environment ensure that you can correctly analyze events that take place in uniform sequence on those clients throughout the organization.microsoft. As explained earlier. In a Windows Server 2003 forest. a denial of service may occur. the PDC emulator in the forest root domain can be synchronized to an authoritative time source. you should weigh the benefits of opening this port against the potential security risk. If they are not synchronized. authenticated users have the right to read all settings in a Group Policy object.inf files from being viewed.com/library/ en-us/secauthz/security/security_descriptor_definition_language.

print. Successful GPO Application Events Although an administrator can manually check all of the settings to ensure that they have been appropriately applied to the servers in your organization. it is converted into a GPO and linked with the Member Servers OU. You will see this type of event if any changes occurred during these intervals. you can use SCW on a standard member server to create a Member Servers Baseline.xml file. EC-Member Server Baseline." Member Server Baseline Policy The first step in the establishment of server role OUs is to create a baseline policy. Important: For simplicity. This new baseline GPO will apply the settings of the baseline Group Policy to any servers in the Member Servers OU. By default. as well as any servers in child UNCLASSIFIED . To create such a policy.inf.Chapter 2: Windows Server 2003 Hardening Mechanisms 21 All computers that run Windows Server 2003 store security templates in their local %SystemRoot%\security\templates folder. This folder is not replicated across multiple domain controllers. After you generate the SCW policy. For example. use SCW to include one of the supplied Member Server Baseline security templates (LC-Member Server Baseline. the examples in this chapter assume the use of the Enterprise Client environment. or SSLF-Member Server Baseline. This type of Group Policy forms a consistent baseline of standard settings for all of the servers in your organization. You can also manually force Group Policy settings to update using the procedure that is described later in this chapter. an event should also appear in the event log to inform the administrator that the domain policy was successfully downloaded to each of the servers. and Certificate Services are a few of the server roles in an organization that may require unique Group Policies.inf). "Introduction to the Windows Server 2003 Security Guide. substitute the appropriate file names. After the centrally-located template is modified. it can be redeployed to the appropriate computers. An event similar to the following should display in the Application log with its own unique Event ID number: Type: Information Source ID: SceCli Event ID: 1704 Description: Security policy in the Group Policy objects has been applied successfully. so you will need to designate one location to hold the master copy of the security templates to prevent version control problems with the templates. As part of the XML creation. Sever Role Organizational Units The previous example showed a way to manage an organization's infrastructure servers. Internet Information Server (IIS). the settings are refreshed every 16 hours. Also. Internet Authentication Server (IAS).inf. This method can be extended to encompass other servers and services in an organization. This approach will ensure that you always modify the same copy of the templates. regardless of whether any changes were made. the OU structure and the application of Group Policies must provide a detailed design to provide security settings for specific types of servers in an organization. The differences between the three environments and their functionality are discussed in Chapter 1. file. The goals are to create a seamless Group Policy for all servers and to ensure that the servers that reside within Active Directory meet the security standards for your environment. the security settings are refreshed every 90 minutes on a workstation or server and every 5 minutes on a domain controller. Also. If you use one of the other two environments.

22 Windows Server 2003 Security Guide OUs. or SSLF (for Specialized Security – Limited Functionality) as appropriate. one for each security environment: LC-Infrastructure Server. these security templates will help you create a security policy that contains the specific adjustments that are required by DHCP and WINS.inf below the Member Servers OU. Although there may be some servers that should not receive the baseline policy. The following table lists the Windows Server 2003 server roles and corresponding template files that are defined in this guide. The Member Server Baseline Policy is discussed in Chapter 4.inf <Env>-File Server. EC-Infrastructure Server. Table 2. EC (for Enterprise Client).inf. All locked down WINS and DHCP servers. "The Member Server Baseline Policy. and SSLF-Infrastructure Server. which is a child of the Member Servers OU.inf Domain controller Infrastructure server File server <Env>-Infrastructure Server.1 Windows Server 2003 Server Roles Server role Member server Description Security template file name All servers that are members of <Env>-Member Server the domain and reside in or Baseline. Server Role Types and Organizational Units Each identified server role requires an additional SCW policy.inf. All Active Directory domain controllers. The security template file names are prefixed with the <Env> variable. The resultant policy is then converted into a new GPO and linked to the Infrastructure OU. This approach permits the creation of separate policies for the incremental changes that are required by each role. For more information about how to create OUs for Group Policy implementation. If you create your own baseline Group Policy. The next step is to apply the appropriate configuration to these servers.inf.inf . make it as restrictive as possible and segment any servers that need to differ from this policy into separate server-specific OUs. this approach is only one of many ways to create an OU structure that you can use to deploy GPOs. In a previous example." You should define the desired settings for most of the servers in your organization in the baseline Group Policy. Three security templates are provided with this solution. <Env>-Domain Controller. This GPO uses the Restricted Groups setting to add the following three groups to the Local Administrators group of all servers in the Infrastructure OU: • • • Domain Administrators Enterprise Administrators Infrastructure Administrators As mentioned earlier in this chapter. These servers are also DNS servers. All locked down file servers. see "Designing the Active Directory Structure" and related topics at www.microsoft.asp?frame=true. and OU in addition to the baseline OU. the infrastructure servers were placed into the Infrastructure OU. When used together with SCW. security template. which would be replaced by LC (for Legacy Client).com/resources/documentation/Windows/2000/server/ reskit/en-us/deploy/dgbd_ads_heqs. these should not be many.

All locked down IAS servers. An example of the final OU design to support these defined server roles in the EC environment is shown in the following illustration.inf <Env>-IAS Server. UNCLASSIFIED .inf All template files except those for the bastion host servers are applied to the corresponding child OUs.inf <Env>-CA Server. Important: This guide assumes that computers that run Windows Server 2003 will perform specifically defined roles. However. If the servers in your organization do not match these roles. All locked down Certification Authority (CA) servers. For example. The security requirements for each of these server roles are different. Appropriate security settings for each role are discussed in detail in later chapters. All Internet-facing servers. remember that the more functions that each of your servers perform. Each of these child OUs require that you apply the specific configuration to define the role that each computer will fulfill in the organization. All locked down IIS web servers. or if you have multipurpose servers. use the settings that are defined here as guidelines for your own security templates. Note that not all roles have templates that correspond to all environments. the more vulnerable they are to attack.Chapter 2: Windows Server 2003 Hardening Mechanisms 23 Server role Print server Web server IAS server Certificate Services server Bastion host Description All locked down print servers.inf <Env>-Web Server. Security template file name <Env>-Print Server.inf <Env>-Bastion Host. the bastion host role is always considered to be in the SSLF environment.

24 Windows Server 2003 Security Guide Figure 2.3 OU design example .

Create the Active Directory environment. You should create the appropriate administrative groups and delegate OU permissions to the corresponding groups. Table 2. Process Overview This guide combines the strengths of the SCW-based and Group Policy-based approaches. They used the corresponding GPO to add each of these administrative groups to the appropriate restricted group. including groups and OUs. test. Administrators use their predefined administration boundaries to create their respective administrative groups. who are responsible for Active Directory infrastructure and security. Finally. and deploy the policies is as follows: 1. but still provides the flexibility and scalability that is required in large Windows networks.Chapter 2: Windows Server 2003 Hardening Mechanisms 25 OU. It is not part of this guide. Configure time synchronization on the domain controller that hosts the PDC Emulator FSMO. An example of the correlation of these groups to the OUs they manage is shown in the following table. GPO. the Domain Engineering members set permissions on each GPO so that only administrators in their group are able to edit them. Create the baseline policies with SCW. 3. and Group Design The recommended OUs and policies that were discussed in the previous section create a baseline or new environment to restructure an organization's existing OU structure for computers that run Windows Server 2003. 4.2 OUs and Administrative Groups OU name Domain Controllers Member Servers Infrastructure File Print IAS Web CA Administrative group Domain Engineering Domain Engineering Infrastructure Admins Infrastructure Admins Infrastructure Admins Domain Engineering Web Services Enterprise Administrators Each administrative group was created as a global group within the domain by the Domain Engineering members. The process that is used to create. UNCLASSIFIED . Configure the domain policies. The administrative groups that are listed in the table will only be members of the Local Administrators group for the computers that are located in the OUs that specifically contain computers that are related to their job functions. This hybrid approach allows you to create and test security configurations more easily. 2. Note that the creation and configuration of these groups is a part of your overall Active Directory design and implementation process.

Move all WINS and DHCP servers into the Infrastructure OU. It is not usually necessary to synchronize all servers' time . 7. Create the role policies with SCW and the included security templates. where <PeerList> is a comma-separated list of DNS names or IP addresses for the desired time sources: w32tm /config /syncfromflags:manual /manualpeerlist:<PeerList> 2. 1. Note: For simplicity." Create the Active Directory Environment Before you can begin the hardening process. and Certificate Services server roles. This synchronization will help ensure that Kerberos authentication works properly and allow you to keep your Active Directory domain synchronized with any external computers that you may have. However. The following sections describe these steps in greater detail. 8. the procedure will fail and an entry will be written to the event log. Run the Delegation of Control Wizard to provide the Infrastructure Admins group with Full Control of the OU. The most common use of this procedure is to synchronize the internal network's authoritative time source with a very precise external time source. 1. Configure Time Synchronization The following procedure ensures that the domain controllers and member servers are synchronized with an external time source. Navigate to this new OU and create a child OU within it called Infrastructure.msc). substitute the appropriate file names. 9. Convert the role policies to GPOs and link them to the appropriate GPOs. To update the configuration. web server. Convert the baseline policies to GPOs and link them to the appropriate GPOs. open a command prompt and execute the following command. Open the MMC Active Directory Users Computers snap-in (Dsa. In the root of the domain object. IAS server. The differences between the three environments and their functionality are discussed in Chapter 1. 2. On the domain controller with the PDC Emulator FSMO. 7. this procedure can be run on any computer that runs Windows XP or member of the Windows Server 2003 family. "Introduction to the Windows Server 2003 Security Guide.26 Windows Server 2003 Security Guide 5. 5. you must have an appropriate Active Directory domain and OU structure in place. Test the baseline policies with SCW. Create a global security group called Infrastructure Admins and add the appropriate domain accounts to it.2 for the appropriate OU and group names. print server. execute the following command: w32tm /config /update 3. create an OU called Member Servers. If the computer cannot reach the servers. 3. Check the event log. The following procedure lists the steps that you will use to create the OUs and groups that are used in this guide and configure them for the appropriate administrative access. 6. Test the role policies with SCW. 6. If you use one of the other two environments. 4. Use the information in Table 2. Repeat steps 3 through 6 for the file server. the examples in this section assume the use of the Enterprise Client (EC) environment.

Back up each domain controller and server in your environment before you apply any new security settings. This policy is provided as a security template. Verify in the event log that the Group Policy downloaded successfully and that the server can communicate with the other domain controllers in the domain. and then select Import Policy. and then press ENTER. 3. right-click the domain. You should also ensure that any other domains that will use this same policy have the same business requirements. 8. and then select No Override. However. To import the Domain Policy security templates 1. member computers always synchronize their clocks with domain controllers. UNCLASSIFIED . there may be business or legal requirements that segment some users into a separate domain simply to enforce the use of a stricter password policy on that group. Type EC-Domain Policy.Chapter 2: Windows Server 2003 Hardening Mechanisms 27 clocks with an external source if they are synchronized with the same internal source. the specific policy (. Right-click Security Settings. Also.inf. Important: You should import this Group Policy into any additional domains in the organization to ensure consistent application of password policy. In Active Directory Users and Computers. because SCW does not address domain-level policies. In the Import Policy From dialog box. and mission critical applications could fail. Because the password policy can only be set at the domain level. On the Group Policy tab. 11. Ensure the system state is included in the backup. In the Group Policy Object Editor window. you can initiate the process manually. By default. It is essential that you thoroughly test these settings before you deploy them in a production environment. It is quite possible that their installation could cause some functionality in your environment to be lost. Select EC-Domain Policy. 7. Right-click EC-Domain Policy. position it to have the highest priority among the GPO links. 2. 9. Configure the Domain Policy The following procedure imports the security templates that are provided with this guide for the domain-level policy. 6. which will enable registry settings and Active Directory objects to be restored if necessary. To ensure that this new Group Policy has precedence over the default policy. Close the Group Policy that has been modified. type gpupdate /Force and press ENTER. Do not enable this option in any of the other Group Policies that are specified in this guide. click New to add a new GPO. Warning: When you create the EC-Domain Policy. you should also synchronize the clocks of network computers that run operating systems other than Windows to the Windows Server 2003 PDC emulator or to the same time source for that server. Note: For accurate log analysis. Before you implement the following procedure. If you do not want to wait for scheduled Group Policy application. Close the Domain Properties window. ensure that the No Override option is enabled to enforce this policy throughout the domain. and then click Edit. Warning: The security templates in this guide are designed to increase security in your environment. 5. and then select Properties. Open a command prompt.inf) file must be located on your computer. it is not uncommon to find environments in which the root domain password policy is much stricter than any of the other domains. 4. do not modify the Windows Server 2003 default domain policy—in case you need to return to its default settings. This Group Policy is the only one in this guide in which the No Override option must be enabled. navigate to "\Tools and Templates\Security Guide\Security Templates" and then double-click EC-Domain. 10. click Computer Configuration\Windows Settings.

. 2. Remove any unnecessary groups that were previously added by administrators. Install the Security Configuration Wizard component on the computer through Control Panel. This role is commonly configured on servers that do not require it and could be considered a security risk. You should use a new installation of the operating system to begin your configuration work. To enable the File server role for servers that require it. Ensure that the detected administrative options are appropriate for your environment. Join the computer to the domain. and point it to the reference computer. 4. 3. and antivirus or antispyware utilities. To create the Member Server Baseline Policy 1. and then click Advanced. 6. During the member server baseline policy (MSBP) creation steps. Add/Remove Programs. The new installation is called a reference computer. which helps ensure that there are no legacy settings or software from previous configurations. 1. 2. Include these with entries specifically defined here checkbox. tape backup agents. Create a new installation of Windows Server 2003 with SP1 on a new reference computer. Click the Security tab. you should use hardware that is similar to the hardware that you will use in your deployment. Remove the File server role from the listed of detected roles. the new OU structure inherits many security settings from its parent container. which will help ensure as much compatibility as possible. 8. select Create new policy. 4. Add/Remove Windows Components. Ensure that the detected client features are appropriate for your environment. Right-click the appropriate OU. you can apply a second policy later in this process. Clear the Allow inheritable permissions from parent to propagate to this object and all child objects. Click View and then Advanced Features to select the Advanced view. Retain the Full Control setting for the Domain Administrators group. and add the domain group that corresponds to each server role OU.28 Windows Server 2003 Security Guide To clear the Allow Inheritable Permissions option By default. Ensure that any additional services that required by your baseline. 9. such as backup agents or antivirus software. Install only the mandatory applications that should be on every server in your environment. Examples include your software and management agents. and then click Properties. 7. 5. Create the Baseline Policies Manually Using SCW The next step is to use SCW to create the member server baseline policy. Open Active Directory Users and Computers. Launch SCW. 5. 3. note that you remove the File server role from the list of detected roles. For each OU. are detected. If possible. clear the check box for Allow inheritable permissions from parent to propagate to this object and all child objects.

inf). However. You can use either an existing domain controller or create a reference computer and use the Dcpromo tool to make the computer a domain controller. Skip the "Audit Policy" section. 13. 7.inf). 4. EC-Member Server Baseline. 2. 12. 12. Add/Remove Windows Components. 11. Ensure that any additional services that are required by your baseline. select Create new policy. and point it to the reference computer. are detected. Save the policy with an appropriate name (for example. such as backup agents or antivirus software. If you use an existing domain controller. most organizations do not want to add a domain controller to their production environment because it may violate their security policy. Include the appropriate security template (for example. you may wish to configure this setting to Disable. Ensure that the detected administrative options are appropriate for your environment. For extra security. 11. Skip the "Registry Settings" section. 10. Domain Controller. Decide how to handle unspecified services in your environment. make sure that you do not apply any setting to it with SCW or modify its configuration. you may wish to configure this policy setting to Disable. 8. 9. 13. UNCLASSIFIED . and antivirus or antispyware utilities. You should test this configuration before you deploy it to your production network. To create the Domain Controller policy You must use a computer that is configured as a domain controller to create the Domain Controller policy. 5. Ensure that the detected client features are appropriate for your environment. Ensure that the detected roles are appropriate for your environment. Skip the "Registry Settings" section. 15. 1. Examples include your software and management agents. Review the network settings and ensure that the appropriate ports and applications have been detected and will be configured as exceptions for the Windows Firewall. tape backup agents.Chapter 2: Windows Server 2003 Hardening Mechanisms 29 10. Skip the "Audit Policy" section. 6. EC-Domain Controller.xml). because it may cause problems if your production servers run additional services that are not duplicated on your reference computer. Decide how to handle unspecified services in your environment. 14. Review the network settings and ensure that the appropriate ports and applications have been detected and will be configured as exceptions for the Windows Firewall. For extra security. 3. Save the policy with an appropriate name (for example.xml). Include the appropriate security template (for example. Add/Remove Programs. Install the Security Configuration Wizard component on the computer through Control Panel. Launch the SCW GUI. Member Server Baseline. You should test this configuration before you deploy it to your production network because it may cause problems if your production servers run additional services that are not duplicated on your reference computer. Install only the mandatory applications that should be on every server in your environment.

if the server is configured as a certification authority (CA). At a command prompt. To verify that Windows Firewall is active. You can use SCW to push policies to a single server at a time. This approach will allow you to find and fix potential problems.microsoft. you should begin to verify the core functionality of the computer. ensure that clients can request and obtain certificates. such as the presence of unexpected services that are required by specific hardware devices. or deploy the policies through a GPO.microsoft. your test servers will have the same hardware and software configuration as your production servers.mspx and the downloadable version of the Security Configuration Wizard Documentation at http://go. After you apply the configuration changes. This capability can be very useful when you make multiple changes to your policies during the testing process. The policies are tested to ensure that their application to the target servers will not adversely affect their critical functions. When you start to author your policies. 2.com/fwlink/?linkid=43450.xml> /g:<GPODisplayName> and then press ENTER. The native deployment method offers the advantage of the ability to easily roll back deployed policies from within SCW. When you are confident in your policy configurations. For more detailed information about how to test SCW policies. Use the Group Policy Management Console to link the newly created GPO to the appropriate OU. you can use Scwcmd as shown in the following procedure to convert the policies to GPOs.30 Windows Server 2003 Security Guide Test the Baseline Policies Using SCW After you create and save the baseline policies. For example: scwcmd transform /p:"C:\Windows\Security\msscw\Policies\Infrastructure. Windows Firewall must be active on the local computer for this procedure to complete successfully. confirm that the appropriate settings were made and that functionality is not affected. For example. Note that if the SCW security policy file contains Windows Firewall settings. Two options are available to test the policies. This information should all be entered on one line. type the following: scwcmd transform /p:<PathToPolicy. see "Deployment Guide for the Security Configuration Wizard" at http://technet2. . and so on.xml" /g:"Infrastructure Policy" Note: The information to be entered at the command prompt shows on more than one line here because of display limitations.com/WindowsServer/en/Library/5254f8cd-143e-4559-a2999c723b3669461033. You should now perform a final test to ensure that the GPO applies the desired settings. or use Scwcmd to push them to a group of servers. Ideally. download a certificate revocation list. To complete this procedure. You can use the native SCW deployment facilities. complete the following steps to convert them into GPOs and link them to the appropriate OUs: 1. you should consider using the native SCW deployment facilities. Convert the Baseline Policies to GPOs After you thoroughly test the baseline policies. Microsoft strongly recommends that you deploy them to your test environment. open Control Panel and then double-click Windows Firewall.

install those components. 10. 13. 18. there are two different ways to test the policies. They do not need to be configured exactly the same as the deployed servers. Configure the appropriate roles for the computer. 16. 5. if your target servers will run DHCP and WINS. Review the network settings and ensure that SCW detected the appropriate ports and applications to configure as exceptions for the Windows Firewall. Join the new server to the domain. 3. or you can deploy the policies through GPOs. Ensure that the detected roles are appropriate for your environment. Install the mandatory applications that should be on every server in your environment. 7. 12. Skip the "Audit Policy" section. which will disable any new service that was not explicitly allowed through SCW. are detected. Skip the "Registry Settings" section. To create the role policies 1. tape backup agents. 2. Launch SCW. If the server is configured with the Web server role. Ensure that any additional services required by your baseline. 9. You should once again use a reference computer to help ensure that there are no legacy settings or software from previous configurations. 11. Add/Remove Windows Components. Click Include Security Templates to add the appropriate security template. Test the Role Policies Using SCW As with the baseline policies. Ensure that the detected administrative options are appropriate for your environment. 4. Install the Security Configuration Wizard component on the computer through Control Panel. 17. 19. Select Create new policy and point it to the reference computer. You should test this configuration before you deploy it to your production network because it may cause problems if your production servers run additional services that are not duplicated on your reference computer. For example. Confirm all service changes that are listed. 15. Add/Remove Programs. UNCLASSIFIED . 6.Chapter 2: Windows Server 2003 Hardening Mechanisms 31 Create the Role Policies Using SCW The next step is to use SCW to create the role policies for each server role. For stronger security (and reduced functionality) you may wish to configure this policy setting to Disable. and antivirus or antispyware utilities. You can use the native SCW deployment facilities. 14. Examples include your software and management agents. Save the policy with an appropriate name. complete the steps in the “Internet Information Services” section to ensure that SCW is configured to support the necessary IIS features. 8. Ensure that the detected client features are appropriate for your environment. Create a new installation of Windows Server 2003 with SP1 on a new reference computer. such as backup agents or antivirus software. but the roles must be installed. The steps to create the role-specific policies are similar to the steps you followed when you created the MSBP. Decide how to handle unspecified services in your environment.

To verify that Windows Firewall is active. 2. operational isolation. After you thoroughly test the new configuration. This information should all be entered on one line. Windows Firewall must be active on the local computer for this procedure to complete successfully.32 Windows Server 2003 Security Guide Again. At a lower level.xml> /g:<GPODisplayName> and then press ENTER. domain. Several design considerations are involved when forest.xml" /g:"Infrastructure Policy" Note: The information to be entered at the command prompt shows on more than one line here because of display limitations. you can convert the policies into GPOs as shown in the following procedure and apply them to the appropriate OU. Malicious service administrators can present a great risk to an organization. At a command prompt. Note that if the SCW security policy file contains Windows Firewall settings. and make sure to move it above the Default Domain Controllers Policy so that it receives the highest priority. For example: scwcmd transform /p:"C:\Windows\Security\msscw\Policies\Infrastructure. This approach will help minimize downtime and failures in your production environment. type the following: scwcmd transform /p:<PathToPolicy. and OU designs are reviewed to secure an environment. Use the Group Policy Management Console to link the newly created GPO to the appropriate OU. It is important to research and document any specific autonomy and isolation requirements for the organization. complete the following steps to convert them into GPOs and link them to the appropriate OUs: 1. Political autonomy. Although it may not be easy to change the forest or domain design in an organization. This chapter provided detailed information about how to create an OU model that will support the use of GPOs for the ongoing management of different server roles in the organization. it may be necessary to remediate some security risks. and legal or regulatory isolation are all valid reasons to consider complex forest designs. open Control Panel and then double-click Windows Firewall. It is also important to plan the OU deployment in the organization to accommodate the needs of both service administrators and data administrators. . malicious domain administrators can access data in any domain in the forest. Summary Security administrators need to understand the strengths and weaknesses of SCW compared to conventional Group Policy-based hardening methods so that they can choose the right methodology for their environment. It is important that you understand how to control service administrators. SCW and Group Policy can be used together to gain the ability to rapidly and consistently prototype policies that SCW provides together with the scalable deployment and management capabilities of Group Policy. Microsoft strongly recommends that you deploy your role policies in a test environment before you use them in production. Convert the Role Policies to GPOs After you thoroughly test the role policies.

see “Best Practice Guide for Securing Active Directory Installations” at www. • • For more information about security and privacy at Microsoft. see the Trustworthy Computing: Security page at www. see “Ten Immutable Laws of Security” at www.microsoft.com/technet/archive/community/columns/security/essays/10imlaws.mspx. see the Microsoft Knowledge Base article "How to configure an authoritative time server in Windows 2000" at http://support. For sound security guidelines.Chapter 2: Windows Server 2003 Hardening Mechanisms 33 More Information The following links provide additional information about topics that relate to hardening servers that run Windows Server 2003 with SP1. see the Microsoft Knowledge Base article "Service overview and network port requirements for the Windows Server system" at http://support.microsoft.com/mscorp/twc/default.microsoft.com/technet/prodtechnol/windows2000serv/technologies/activedirecto ry/plan/addeladm. For information about Active Directory design considerations. For information about network ports that are used by Microsoft applications. see “Design Considerations for Delegation of Administration in Active Directory” at www.aspx?FamilyID=4e734065-3f18-488a-be1ef03390ec5f91&.microsoft.com/?kbid=216734.com/kb/832017. For guidance about how to secure the Active Directory database.com/downloads/details.microsoft.m spx. • • • • UNCLASSIFIED . For information about how to configure a time server.microsoft.mspx.

.

This chapter focuses on the following topics: • • Security settings and countermeasures at the domain level. The following sections of this chapter will only discuss the Domain Level policy in detail. which is available at http://go.com/fwlink/?LinkId=15159.microsoft. For example. Role-Specific Level. such as account and password policies that must be enforced for all servers in the domain. Threats and Countermeasures: Security Settings in Windows Server 2003 and Windows XP. Enterprise Client (EC). The baseline environment that is discussed in Chapter 2. Domain Policy You can apply Group Policy security settings at several different levels in an organization.UNCLASSIFIED Chapter 3: The Domain Policy Overview This chapter uses the construction of a domain environment to demonstrate ways to address security within a Microsoft® Windows Server™ 2003 with Service Pack 1 (SP1) infrastructure. Most of the domain security settings that are addressed are for user accounts and passwords. When you review these settings and recommendations. How to secure a Windows Server 2003 domain for the Legacy Client (LC). Settings at this level address common security requirements. and Specialized Security – Limited Functionality (SSLF) environments that are defined in Chapter 1." This information provides a foundation and a vision for how to evolve from an LC environment to an SSLF environment within a domain infrastructure. For information about all default settings. Baseline Level. To improve the usability of this material. "Introduction to the Windows Server 2003 Security Guide. this chapter only discusses those settings that have been modified from the default values. highly secure state. the security requirements for infrastructure servers differ from those for servers that run Microsoft Internet Information Services (IIS). Settings at this level address security requirements for specific server roles. see the companion guide. UNCLASSIFIED . Windows Server 2003 with SP1 ships with default values that are set to a known. "Windows Server 2003 Hardening Mechanisms" used Group Policy to apply settings at the following three hierarchy levels in the domain infrastructure: • • • Domain Level. Settings at this level address specific server security requirements that are common to all servers in the domain infrastructure. remember that all settings apply to every user in the domain boundary.

some applications that are designed to work with Active Directory make changes to the built-in Default Domain Policy.36 Windows Server 2003 Security Guide Domain Policy Overview Group Policy is extremely powerful because it allows an administrator to create a standard network computer configuration. These applications are not going to be aware of the new Group Policy you implemented if you follow the recommendations in this guide. check to see whether the application has modified account policies. be sure to test them thoroughly. The following sections provide detailed information about the security settings that you can use to enhance the security of Windows Server 2003 with SP1. because if you need to roll back changes you can simply disable it. and Kerberos policy security settings. and determine settings that relate to the Kerberos authentication protocol. Change settings in the registry. This section discusses each specific password policy setting and how . If you encounter problems. Before you deploy new enterprise applications. Configure audit and event logs. such as ticket lifetimes and enforcement. Account Policies Account policies. because they allow administrators to make security changes simultaneously on all computers in the domain or subsets of the domain. Kerberos policies are used for domain user accounts. Modify permissions on registry objects. which include password policy. Group Policy objects (GPOs) can provide a significant portion of a configuration management solution for any organization. This approach will make it easier for you to test or troubleshoot the new Group Policy. modified user rights. Account lockout policy allows tracking of unsuccessful password logon attempts to initiate account lockouts if necessary. Configure system services. Password policy provides a way to set complexity and change schedules for high security environments. are only relevant in the domain policy for all three environments that are defined in this guide. Change user rights assignments. You can simultaneously apply the following types of security changes through Group Policy: • • • • • • • Modify permissions on the file system. Set account and password policies. However. and detailed descriptions of how to achieve the security objectives for each setting are also provided. or made other changes to the Default Domain Policy or local computer policies. The settings are divided into categories that correspond to their presentation in the Windows Server 2003 Security Configuration Editor (SCE) user interface. created new user accounts. account lockout policy. Tables are provided that summarize the settings. Password policy settings control the complexity and lifetime for passwords. Password Policy Complex passwords that are changed on a regular basis reduce the likelihood of a successful password attack. This guide recommends that you create a new Group Policy at the domain root to apply the domain-wide policies that are discussed in this chapter.

For example. additional strong security policy is needed to ensure that users create passwords that are hard to compromise. sports teams. including common or clever misspellings of words. Avoid the use of passwords that begin or end with a numeral because they can be guessed easier than passwords that have a numeral in the middle. Although password policy may require users to comply with technical complexity requirements. Breakfast! might meet all password complexity requirements. car. Do not create a new password that simply increments a digit in your current password. and family members). You can configure the password policy settings in the following location in the Group Policy Object Editor: Computer Configuration\Windows Settings\Security Settings\ Account Policies\Password Policy Additional information for each setting is provided in the subsections that follow the table. Enforce the use of passwords that require you to type with both hands on the keyboard. Your organization should set strong password creation guidelines that include the following: • • • • • • • • Avoid the use of words from a dictionary in any language. numbers. One strategy of organizational security programs that seek to educate users about strong passwords is to create a poster that describes poor passwords and display it in common areas. Enforce the use of uppercase and lowercase letters. You should also use these guidelines for all service account passwords in your organization. Strict requirements for password length and complexity do not necessarily mean that users and administrators will use strong passwords. but it is not a very difficult password to crack. and Specialized Security – Limited Functionality. and symbols in all passwords. Enforce the use of space characters and characters that can be produced only by pressing the ALT key. Avoid the use of passwords that others can easily guess by looking at your desk (such as names of pets. Avoid the use of words from popular culture.Chapter 3: The Domain Policy 37 they relate to each of the three environments that are defined in this guide: Legacy Client. such as near a water fountain or copy machine. UNCLASSIFIED . or movie. If you know certain facts about the person who creates a password. you might be able to guess their password if it is based on their favorite food. Enterprise Client. Password Policy Settings The following table includes the password policy setting recommendations for all three environments that are defined in this guide.

and because a low number for this setting will allow users to continually recycle a small number of passwords repeatedly. the lower this value is set. The range of values for this policy setting is from 1 to 999 days. However. Microsoft recommends this value for all three environments because it helps ensure that old passwords are not continually reused. either accidentally or on purpose.38 Windows Server 2003 Security Guide Table 3. This configuration ensures that passwords are changed periodically but does not require users . Most passwords can be cracked if an attacker has enough time and computing power. You can configure the Maximum password age setting so that passwords expire as often as necessary for your environment. The value can be set between 0 and 24 passwords. the less time an attacker has to crack it. 24 passwords. Microsoft recommends that the Maximum password age setting be left at the default value of 42 days for all three environments that are defined in this guide. To enhance the effectiveness of this policy setting. there are no known issues with this recommendation for environments that include legacy clients. The default value for this setting is 42 days. because common vulnerabilities are associated with password reuse. The default value for the Enforce password history setting in Windows Server 2003 with SP1 is the maximum. you may also configure the Minimum password age setting so that passwords cannot be changed immediately.1 Password Policy Setting Recommendations Setting Enforce password history Maximum password age Minimum password age Minimum password length Password must meet complexity requirements Store password using reversible encryption Legacy Client 24 passwords remembered 42 days 1 day 8 characters Enabled Enterprise Client 24 passwords remembered 42 days 1 day 8 characters Enabled Specialized Security – Limited Functionality 24 passwords remembered 42 days 1 day 12 characters Enabled Disabled Disabled Disabled Enforce password history This policy setting determines the number of unique new passwords that must be associated with a user account before it is possible to reuse an old password. the greater the potential for an increase in calls to help desk support. Maximum password age This policy setting defines the period in which an attacker who has cracked a password may use it to access a computer on the network before the password expires. The more frequently the password changes. This combination makes it difficult for users to reuse passwords. Regular password changes can help prevent passwords from being compromised. Also.

This configuration is long enough to provide some level of security but still short enough for users to easily remember. a seven-character password would have 26 . When the Minimum password length setting is used.000. it would take approximately 40 days to 8 11 crack. and the computational power that is available to the attacker. An eight-character password has 26 .000. possible combinations. A seven7 character case-sensitive alphanumeric password without punctuation has 62 combinations. Minimum password age This policy setting determines the number of days that a password must be used before a user can change it. Long passwords—eight or more characters—are usually stronger than short ones. at 1. When this setting is used in conjunction with a similar low value in the Enforce password history setting. (Dictionary attacks use word lists to obtain a password through trial and error. a value of 0 allows the password to be changed immediately. or 2 x 10 . The range of values for the Minimum password age setting is between 0 and 999 days. 7 A seven-character case-sensitive alphabetic password has 52 combinations. For example. However.Chapter 3: The Domain Policy 39 to change their password so often that they cannot remember what it is. users would only have to wait 2 days before being able to reuse an old favorite password. users can recycle the same passwords again and again.000 attempts per second (a capability of many password-cracking utilities) it would take only 59 hours to try UNCLASSIFIED . Although this might seem to be an overwhelmingly large number. Without a minimum password age. The default value for this policy setting is 1 day. if Minimum password age is configured to 1 day and Enforce password history to 24. The default value for this setting is seven characters. possible combinations. The Minimum password age setting must be less than the Maximum password age setting. Each additional character in a password increases its complexity exponentially. users can cycle through passwords repeatedly until they can reuse an old favorite. you can increase the value for this policy setting in the Legacy Client and Enterprise Client environments. Minimum password length This policy setting ensures that passwords have at least a specified number of characters. if Minimum password age is configured to 1 day and Enforce password history is configured to 2 passwords. To balance the needs of security and usability. At 1. users cannot use blank passwords and they must create passwords with a specific number of characters. Brute force attacks try every possible password or encrypted text value. users would need to change their password every day for at least 24 days before they could reuse a password—which is unlikely. this configuration provides a reasonably strong defense against the commonly used dictionary and brute force attacks. Also. the size of the potential character set. This guide recommends that you configure the Minimum password length setting to eight characters for the Legacy Client and Enterprise Client environments.) This guide recommends that you configure the Minimum password length setting to 12 characters for the Specialized Security – Limited Functionality environment. unless the Maximum password age setting is configured to 0 (which means that passwords would never expire). The likelihood of a successful brute force attack depends on the length of the password. For 7 7 example.000 attempts per second. or 1 x 10 . Configure the Minimum password age to be greater than 0 if you want the Enforce password history setting to be effective. Microsoft recommends that you enforce the Minimum password age default value of 1 day for all three environments that are defined in this guide.

At 1. and Windows Server 2003 all use a newer hashing algorithm. . When combined with a Minimum password length of 8. It is possible to attack both halves of an LMHash in parallel. minimum length requirements that are too long may cause more mistyped passwords. Consider the following 27-character password—I love cheap tacos for $. A password of 20 or more characters can actually be set so that it is easier for a user to remember—and more secure—than an eight-character password. Also. the second half of the LMHash resolves to a specific value that can inform a cracker that the password is shorter than eight characters. it would take 6.dll file to apply a different set of rules. Older versions of Windows used a specific type of hashing algorithm known as the LAN Manager Hash (LMHash). looking for matches.000 attempts per second. The Windows Server 2003 policy rules cannot be directly modified. For more information about creating a custom Passfilt. it will succumb to a brute-force attack in milliseconds. For these reasons. because the longer passwords require crackers to decrypt two portions of each password instead of only one.microsoft.000.18 x 10 possible combinations. Therefore it is not really beneficial unless it is part of the ALT character set.99. Passwords of at least eight characters strengthen even the weaker LMHash.9 years to cycle through all possible permutations.com/library/default. these times will significantly increase for passwords that use ALT characters and other special keyboard characters. extremely long password requirements can actually decrease the security of an organization because users may be more likely to write their passwords down so that they do not forget them. However. If you include upper and lower case letters and numbers in the keyspace. they present a shortcut for password crackers. they may still calculate and store the LMHash for backward compatibility. Passwords are stored in the Security Accounts Manager (SAM) database or Active Directory after they are passed through a one-way (non-reversible) hash algorithm. this setting makes it very difficult to mount a brute force attack. Remember. Windows XP. see the MSDN® article "Sample Password Filter" at http://msdn. the use of shorter passwords in place of longer ones is not recommended. you can create a new version of the Passfilt. This algorithm breaks up the password into blocks of seven or fewer characters and then calculates a separate hash value for each block.dll file. Therefore. If a password is seven characters or less. When the LMHash values are present. Dictionary attacks run entire dictionaries through the encryption process. However. This type of password (really a pass phrase) might be simpler for a user to remember than a shorter password such as P@55w0rd. An eight-character password then has 2. Although Windows 2000 Server. which can cause an increase in locked out accounts and help desk calls. such as ! or @.asp?url=/library/en-us/secmgmt/ security/sample_password_filter. the only known way to tell if you have the right password is to run it through the same one-way hash algorithm and compare the results. and the second half of the LMHash is only 1 character long.40 Windows Server 2003 Security Guide all possible passwords. Password must meet complexity requirements This policy setting checks all new passwords when they are created to ensure that they meet complexity requirements. the number of available characters increases from 26 to 62 14 characters.asp. They are a simplistic yet very effective approach to determine who uses common words like "password" or "guest" as their account passwords.

Requirements for passwords that are too long may also lead to more calls to the help desk from users who forget their passwords. Microsoft recommends that you configure the Store password using reversible encryption setting to Disabled unless application requirements outweigh the need to protect password information. To prevent password changes (except when required). You can implement this configuration for an entire domain through Group Policy. or you can edit the registry to implement it for one or more specific users. Note that security-conscious users may want to change their passwords more often and will have to contact an administrator to do so. For more detailed instructions about this configuration. some organizations require centralized control over all users. UNCLASSIFIED . Users can change their passwords during the period between the minimum and maximum password age settings. How to Prevent Users from Changing a Password Except When Required Although the password policy settings that are described in the previous section provide a range of options. Also. which will increase support costs. Centralized control of user passwords is a cornerstone of a well-crafted Windows Server 2003 security scheme. Microsoft recommends that the Password must meet complexity requirements setting be configured to Enabled for all three environments that are defined in this guide. see the Microsoft Knowledge Base article "How To Prevent Users from Changing a Password Except When Required in Windows Server 2003" at http://support. environments that deploy the ChallengeHandshake Authentication Protocol (CHAP) through remote access or IAS and environments that use digest authentication for Internet Information Services (IIS) require this policy setting to be enabled. Store password using reversible encryption This policy setting determines whether the operating system uses reversible encryption to store passwords. It supports applications that use protocols that require user passwords for authentication purposes. If this setting is enabled. you can disable the Change Password option in the Windows Security dialog box that appears when you press CTRL+ALT+DELETE. You can use Group Policy to set minimum and maximum password ages as discussed earlier. Passwords that are stored with an encryption method that can be reversed can be retrieved more easily than passwords that are stored with non-reversible encryption. the Specialized Security – Limited Functionality environment design requires that users change their passwords only when the operating system prompts them to do so after the Maximum password age setting of 42 days. For this reason. vulnerability is increased.Chapter 3: The Domain Policy 41 For these reasons.com/?kbid=324744. However. This section describes how to prevent password changes by users except when changes are required. but remember that frequent password change requirements can enable users to circumvent the password history setting for your environment.microsoft.

Although it may seem like a good idea to configure the Account lockout duration setting to never automatically unlock." of the companion guide. and they decrease the likelihood of successful attacks on your network.2 Account Lockout Policy Settings Setting Account lockout duration Account lockout threshold Reset account lockout counter after Legacy Client 30 minutes Enterprise Client 30 minutes Specialized Security – Limited Functionality 15 minutes 10 invalid login attempts 15 minutes 50 invalid 50 invalid login login attempts attempts 30 minutes 30 minutes Account lockout duration This policy setting determines the length of time before an account is unlocked and a user can try to log on again. such a configuration may increase the number of calls the help desk receives to unlock accounts that were locked by mistake. This guide recommends that you configure the Account lockout duration setting to 30 minutes for Legacy Client and Enterprise Client environments and to 15 minutes for . Windows Server 2003 with SP1 tracks logon attempts. "Domain Level Policies. However. and the server software can be configured to disable accounts after a preset number of failed logins as a response to potential attacks. for additional discussion of these settings and how they interact. because users who forget or mistype their passwords repeatedly will need assistance. an improved and less-costly solution is to automatically monitor the Security event logs for domain controllers and generate administrative alerts when apparent attempts to guess passwords for user accounts occur. It specifies the number of minutes a locked out account will remain unavailable.42 Windows Server 2003 Security Guide Account Lockout Policy Account lockout policy is a Windows Server 2003 with SP1 security feature that locks a user account after a number of failed logon attempts occur within a specified time period. you will likely incur higher support costs if you enable account lockout policy. ensure that your organization is prepared for this additional overhead. Table 3. Account Lockout Policy Settings The following table summarizes the recommended account lockout policy settings. Before you enable the following settings. The Windows Server 2003 with SP1 default value for this policy setting is Not Defined. You can use the Group Policy Object Editor to configure these settings in the Domain Group Policy at the following location: Computer Configuration\Windows Settings\Security Settings\ Account Policies\Account Lockout Policy Additional information for each setting is provided in the subsections that follow the table. The number of attempts that are allowed and the time period are based on the values that are configured for the policy. accounts will remain locked out until an administrator unlocks them. For many organizations.com/fwlink/ ?LinkId=15159. These policy settings help protect user passwords from attackers who guess passwords. If you set the Account lockout duration value to 0.microsoft. See Chapter 2. Threats and Countermeasures: Security Settings in Windows Server 2003 and Windows XP at http://go.

which locks out their accounts. event 539 only shows an account lockout. but will not prevent a DoS attack as described earlier. • To prevent account lockouts. which is "Logon failure.Limited Functionality environments. The recommended settings give locked out users the chance to log on again in a reasonable amount of time without the need for assistance from the help desk. Therefore.Limited Functionality environments. the user account will eventually be locked out. The account was locked out at the time the logon attempt was made. Your organization should weigh the choice between the two based on the identified threats and the risks that you are trying to mitigate. This configuration helps reduce help desk calls because users cannot accidentally lock themselves out of their accounts. not a failed password attempt.Chapter 3: The Domain Policy 43 Specialized Security . Also. the value should help ensure that a brute force password attack will still lock out the account. • If these criteria are not met. distinct countermeasures for each of these possibilities are defined. choose this setting only if both of the following criteria are explicitly met: • • The password policy requires all users to have complex passwords that consist of eight or more characters. For example. the second option is to configure the Account lockout threshold setting to a high enough value that will provide users with the ability to accidentally mistype their password several times and not lock themselves out of their accounts. and because the password it uses to authenticate is incorrect. A robust audit mechanism is in place that can alert administrators when a series of account logon failures occur in the environment. the audit mechanism should monitor for security event 539. This value will prevent accidental account lockouts and reduce help desk calls. DoS attacks that try to intentionally lock out accounts in your organization will not succeed. UNCLASSIFIED . Because vulnerabilities can exist when the Account lockout threshold setting is configured and when it is not. configure the Account lockout threshold setting to a high number. which should provide adequate security and acceptable usability. To avoid lockout of authorized users. However. Account lockout threshold This policy setting determines the number of attempts that a user can make to log on to an account before it is locked. Authorized users can lock themselves out of their accounts in different ways. this guide recommends that you configure this policy setting value to 10 for Specialized Security . This configuration decreases the amount of operation overhead during a denial of service (DoS) attack. However. They can incorrectly enter their password or they can change their password on one computer while logged on to another computer. your administrators should also monitor for a series of bad password attempts. However. The computer with the incorrect password may continuously try to authenticate the user. However. In a DoS attack." This event means that the account was locked out at the time the logon attempt threshold was reached. set the value for Account lockout threshold setting to 0. an attacker maliciously performs a number of failed logon attempts on all users in the organization. This guide recommends that you configure the Account lockout threshold setting value to 50 for the Legacy Client and Enterprise Client environments. Because it will not prevent a brute force attack. information about this setting value needs to be communicated to users.

if there is a reasonable time value for this setting. This configuration defines a reasonable time period that users are more likely to accept without the need for assistance from the help desk. If you define an Account lockout threshold. If you leave this policy setting at its default value or configure it to an interval that is too long. this guide does not include them in the security templates that accompany this guide. you could make your environment vulnerable to an account lockout DoS attack. The Reset account lockout counter after setting works in coordination with other settings. You can configure these settings in the Group Policy Object Editor at the following location: Computer Configuration\Windows Settings\Security Settings\ Local Policies\Security Options . even if there is a different account policy applied to the OU that contains the domain controller. the risk of an attacker who attempts to steal passwords to impersonate legitimate user accounts is decreased.com/fwlink/?LinkId=15159. Security Options The three different types of account policies that are discussed earlier in this chapter are defined at the domain level and are enforced by all of the domain controllers in the domain. These policies determine settings that relate to the Kerberos version 5 authentication protocol. There are three security options settings that are similar to account policies. If you reduce the lifetime of Kerberos tickets. You should apply these settings at the level of the entire domain and not within individual OUs. Kerberos policies do not exist in the local computer policy. Because the Kerberos settings are included in the default domain policy and enforced there. Threats and Countermeasures: Security Settings in Windows Server 2003 and Windows XP. This guide recommends that you configure the Reset account lockout counter after setting to 30 minutes for the Legacy Client and Enterprise Client environments. Kerberos Policies Kerberos policies are used for domain user accounts. Conversely. the need to maintain these policies increases the authorization overhead. then this reset time must be less than or equal to the value for the Account lockout duration setting. Without a policy setting to reset the account lockout. However. In most environments. the default values for these policies should not be changed. administrators would have to manually unlock all accounts. this guide recommends that you configure this policy setting to 15 minutes for Specialized Security – Limited Functionality environments.44 Windows Server 2003 Security Guide Reset account lockout counter after This policy setting determines the length of time before the Account lockout threshold resets to 0 and the account is unlocked. This guide recommends that no changes be made to the default Kerberos policies. refer to the companion guide. However. such as ticket lifetimes and enforcement.microsoft. users would be locked out for a set period until all of the accounts are unlocked automatically. For more information about these policy settings. which is available at http://go. A domain controller always obtains the account policy from the Default Domain Policy GPO.

Network Access: Allow anonymous SID/NAME translation This policy setting determines if an anonymous user can request the SID for another user. a user who knows an administrator's standard well-known SID attributes could contact a computer that also has this policy enabled and use the SID to obtain the administrator's name. If you enable this policy setting. If logon hours are not used. That person could then use the account name to initiate a password guessing attack. If your organization has configured logon hours for users. Because the default configuration for the Network Access: Allow anonymous SID/NAME translation setting is Disabled on member computers. client sessions with the SMB service are forcibly disconnected when the client's logon hours expire. you should also enable the Network security: Force logoff when logon hours expire setting. computers that run older operating systems UNCLASSIFIED . users who should not have access to network resources outside of their logon hours may actually be able to continue to use those resources with sessions that were established during allowed hours. If the Network Access: Allow anonymous SID/NAME translation setting is enabled on a domain controller. This policy setting affects the server message block (SMB) component.Chapter 3: The Domain Policy 45 Security Options Settings The following table summarizes the recommended security options settings. If it is disabled. If you disable this policy setting. an established client session is allowed to be maintained after the client's logon hours have expired. Otherwise. However. Additional information for each setting is provided in the subsections that follow the table. they will not be affected by this policy setting. this policy setting will have no impact. the default configuration for domain controllers is Enabled. then it makes sense to enable the Microsoft network server: Disconnect client when logon hours expire setting. Table 3. This guide recommends that you configure the Microsoft network server: Disconnect client when logon hours expire setting to Enabled for the three environments that are defined in the guide. When it is enabled.3 Security Options Settings Setting Microsoft network server: Disconnect clients when logon hours expire Network Access: Allow anonymous SID/NAME translation Network Security: Force Logoff when Logon Hours expire Legacy Client Enabled Enterprise Client Enabled Specialized Security – Limited Functionality Enabled Disabled Disabled Disabled Enabled Enabled Enabled Microsoft network server: Disconnect clients when logon hours expire This policy setting determines whether to disconnect users who are connected to the local computer outside their user account's valid logon hours.

Microsoft SQL Servers™ that run on Windows NT 3. This guide recommends that you configure the Network Access: Allow anonymous SID/NAME translation setting to Disabled for the three environments that are defined in the guide. If you disable this policy setting. This setting affects the SMB component. Other password and account lockout settings will only affect the local accounts on member servers.0 domains. this setting must be defined in the Default Domain Policy.x–based or Windows NT 4. Examples of such computers include: • • • Windows NT® 4. client sessions with the SMB server will be forcibly disconnected when the user's logon hours expire. This guide recommends that you configure the Network Security: Force Logoff when Logon Hours expire setting to Enabled for the three environments that are defined in the guide. The user will be unable to log on to the computer until their next scheduled access time. Remote Access Service servers that run on Windows 2000–based computers that are located in Windows NT 3.0–based Remote Access Service servers.0– based computers. Summary This chapter discussed the need to review all domain-wide settings in the organization. users will be able to maintain an established client session after their logon hours expire. . To affect domain accounts. account lockout. and Kerberos version 5 authentication protocol policies can be configured for each domain. Only one set of password.46 Windows Server 2003 Security Guide may not be able to communicate with domains that are based on Windows Server 2003 with SP1. Plan to configure settings that will apply to all member servers of the domain.x domains or Windows NT 4. and ensure that these settings provide an adequate level of security across your organization. Network Security: Force Logoff when Logon Hours expire This policy setting determines whether to disconnect users who are connected to a local computer outside their user account's valid logon hours. If you enable the Network Security: Force Logoff when Logon Hours expire setting.

see the Network access: Allow anonymous SID/name translation page at http://technet2.com/?kbid=251171.mspx. Also. see “The Mole #32: Technical Answers from Inside Microsoft .microsoft. BackTalk” at www. Sharing Printers. • • UNCLASSIFIED . For information about network security and how to force logoff when logon hours expire. Logoff.microsoft.Chapter 3: The Domain Policy 47 More Information The following links provide additional information about topics that relate to domain policy for servers that run Windows Server 2003 with SP1. Two PDCs. • For information about the ability of anonymous users to request security identifier attributes for other users.mspx.com/technet/archive/community/columns/inside/techan32. see the Microsoft Knowledge Base article “Guest Account Cannot be Used When Anonymous Access Is Disabled” at http://support.Moving Users.com/WindowsServer/en/Library/299803be-0e85-4c60-b0b51b64486559b31033.microsoft.

.

The configuration requirements in this chapter form the baseline for all of the procedures that are described in later chapters of this guide. This environment includes computers that run Windows NT® 4. Although this environment provides adequate security. Most of the work that is required to migrate from the LC environment to the EC environment involves upgrades of legacy clients such as Windows 98 and Windows NT 4. which are sometimes referred to as legacy operating systems. To provide stronger security.microsoft. the LC environment includes Windows 2000 Professional and Windows XP Professional workstations.UNCLASSIFIED Chapter 4: The Member Server Baseline Policy Overview This chapter documents the configuration requirements to manage a baseline security template for all servers that run Microsoft® Windows Server™ 2003 with Service Pack 1 (SP1). but Windows NT member servers may exist. it is the least secure of the three environments that are defined in this guide. All domain • UNCLASSIFIED . The setting recommendations in this chapter will help establish security at the foundation of business application servers in an enterprise environment.0 domain controllers in this environment. which is available at http://go. This environment only contains Windows 2000 or Windows Server 2003 domain controllers. you must comprehensively test the coexistence of these security configurations with your organization's business applications before you implement them in production environments. Generally. There are no Windows NT 4.0 Workstation to Windows 2000 or Windows XP. This environment provides solid security and is designed for more recent versions of the Windows operating system. Enterprise Client (EC). reviewed. These chapters describe how to harden specific server roles.com/fwlink/?LinkId=15159. The chapter also provides administrative guidance for the setup and configuration of a secure Windows Server 2003 with SP1 configuration in three distinct environments. and tested by the team that created this guide.0 and Microsoft Windows® 98. The recommendations in this chapter are suitable for most organizations and may be deployed on either existing or new computers that run Windows Server 2003 with SP1. The EC environment includes client computers that run Windows 2000 Professional and Windows XP Professional. The security settings that are discussed in this chapter relate to the following three environments: • Legacy Client (LC). organizations may choose to migrate to the more secure Enterprise Client environment. The default security configurations within Windows Server 2003 with SP1 were researched. most of the following configuration recommendations provide greater security than the default settings. For information about all default settings and a detailed explanation of each of the settings that are discussed in this chapter. Threats and Countermeasures: Security Settings in Windows Server 2003 and Windows XP. see the companion guide. In addition to the referenced legacy operating systems. However.

some applications need to adjust user rights assignments to grant their service account additional privileges. security concerns are so great that significant loss of client functionality and manageability is considered an acceptable tradeoff if the highest levels of security can be achieved. The following figure shows the three security environments and the clients that are supported in each. Migration from the EC environment to the Specialized Security – Limited Functionality (SSLF) environment requires compliance with stringent security policies for both client computers and servers. For example. This environment includes client computers that run Windows 2000 Professional and Windows XP Professional. You should assume that this configuration will affect compatibility. • Specialized Security – Limited Functionality (SSLF). because it may cause applications that attempt to adjust some settings locally to fail. and domain controllers that run Windows 2000 Server or Windows Server 2003. In many instances. This environment provides much stronger security than the EC environment. The chapter also enforces specific defaults for all three .50 Windows Server 2003 Security Guide controllers and member servers in this environment run Windows 2000 Server or Windows Server 2003. Because Group Policies take precedence over local machine policy. You will notice that in many cases the SSLF environment will explicitly set the default value. these operations will fail.inf file security templates are used as a foundation for the Enterprise Client – Member Server Baseline Policy (MSBP). In the SSLF environment. this chapter prescribes settings that are different than the default values. The following figure shows how the . The figure also shows one possible way to link this policy and apply it to all servers in an organization. You should thoroughly test all applications before you deploy any of the recommended settings to your production computers—especially SSLF settings. Figure 4. Member servers in this environment run Windows 2000 Server or Windows Server 2003.1 Existing and planned security environments Organizations that want to secure their environments by means of a phased approach may choose to start at the Legacy Client environment level and then gradually migrate to more secure environments as they upgrade and test their applications and client computers with tightened security settings. Windows Server 2003 with SP1 ships with default setting values that are configured to create a secure environment.

see the companion guide.com/fwlink/?LinkId=15159. Figure 4. which is then linked to the Member Servers organizational unit (OU) Procedures to harden specific server roles are defined in the remaining chapters of this guide.inf security template is imported into the MSBP. Threats and Countermeasures: Security Settings in Windows Server 2003 and Windows XP at http://go.2 The EC-Member Server Baseline. The primary server roles that are discussed in this guide include: • • • • • • • • Domain controllers that include DNS services Infrastructure servers that include WINS and DHCP services File servers Print servers Web servers that run Internet Information Services (IIS) Microsoft Internet Authentication Server (IAS) servers Certificate Services (CA) servers Bastion hosts Many of the following settings that appear in the Enterprise Client MSBP also apply to these server roles in the three environments that are defined in this guide. UNCLASSIFIED . The security templates are uniquely designed to address the security needs of each particular environment. For information about all default settings. The following table shows the names of the baseline security templates for the three environments.microsoft.Chapter 4: The Member Server Baseline Policy 51 environments.

"Windows Server 2003 Hardening Mechanisms." Note: Some procedures that are used to harden servers cannot be automated by means of Group Policy. The following recommendations and setting descriptions are provided to help you determine what to monitor so that the collected data is relevant. "The Domain Controller Baseline Policy. The baseline security templates are also the basis for the domain controller security templates that are defined in Chapter 5.inf The security settings that are common to all three environments and therefore all Member Server Baseline security templates are described throughout the rest of this chapter. it will be difficult or impossible to determine what took place during a security incident. which is linked to the Domain Controllers OU in all three environments. successful logon to a computer by a user would . Audit Policy Administrators should create an Audit policy that defines which security events get reported. When audit settings for specific event categories are defined. you can create a GPO that is linked to the Member Server OU. failure logs are much more informative than success logs because failures typically indicate errors. Oftentimes. such as who accesses an object. Before you implement an Audit policy. However. Step-by-step instructions for how to create the OUs and Group Policies and then import the appropriate security template into each GPO are provided in Chapter 2. To apply these settings. You will have to move the server accounts to the appropriate child OUs of the Member Server OU based on each server's role. or if changes are made to an Audit policy setting. The following settings are described as they appear in the user interface (UI) of the Microsoft Management Console (MMC) Security Configuration Editor (SCE) snap-in. administrators can create an Audit policy that suits the security needs of the organization. Administrators can monitor security-related activity. if a user logs on to or off from a computer. These procedures are described in the “Additional Security Settings” section of this chapter. For example. and that records user or computer activity in specified event categories.52 Windows Server 2003 Security Guide Table 4. The audit settings that an administrator chooses for the event categories define the organization's Audit policy. the Security log will fill up with useless data.1 Baseline Security Templates for All Three Environments Legacy Client LC-Member Server Baseline. If no Audit policy exists. you must decide which event categories to audit for the environment. which is known as a baseline policy.inf Enterprise Client EC-Member Server Baseline. if audit settings are configured so that many authorized activities generate events.inf Specialized Security – Limited Functionality SSLF-Member Server Baseline. The GPO automates the configuration of specific security settings on each server." The Domain Controllers Role security templates include baseline settings for the Domain Controllers Group Policy GPO. Windows Server 2003 Baseline Policy Settings at the Member Server OU level define the common settings for all member server roles that are discussed in this guide.

com/fwlink/?LinkId=15159." which is included with the downloadable version of this guide. Therefore. You can configure the Audit policy setting values in Windows Server 2003 with SP1 at the following location within the Group Policy Object Editor: Computer Configuration\Windows Settings\Security Settings\ Local Policies\Audit Policy For a summary of the prescribed settings in this section. and System event logs. organizations should determine how they will collect. which is available at http://go. Also. see the Microsoft Excel® workbook "Windows Server 2003 Security Guide Settings. The impact for a given combination of settings may be negligible on an enduser computer but quite noticeable on a busy server. Before an Audit policy implementation. and system events. For more information about the default settings and a detailed explanation of each of the settings that are discussed in this section. The event log container of Group Policy is used to define attributes that are related to the Application. you should test whether performance will be affected before you deploy new audit settings in your production environment. In Microsoft Windows operating systems. Additional information about each setting is provided in the subsections that follow the table. and analyze the data. However. security events. and retention settings and methods. see the companion guide. Threats and Countermeasures: Security Settings in Windows Server 2003 and Windows XP. if someone unsuccessfully tries to log on to a computer multiple times.microsoft. Table 4. it may indicate an attempt to break into the computer with someone else's account credentials. Large volumes of audit data have little value if there is no plan to exploit it. there are separate event logs for applications. You may notice that the settings for most values are similar for all three environments. access rights for each log.Chapter 4: The Member Server Baseline Policy 53 typically be considered normal. The Security log records audit events. The following table includes the Audit policy setting recommendations for all three environments that are defined in this guide. such as maximum log size. performance may be affected when computer networks are audited. organize. Security. The event logs record events on the computer.2 Audit Policy Settings Setting Audit account logon events Audit account management Audit logon events Audit object access Audit policy change Audit privilege use Audit process tracking Audit system events Legacy Client Success Success Success No Auditing Success No Auditing No Auditing Success Enterprise Client Success Success Success No Auditing Success No Auditing No Auditing Success Specialized Security – Limited Functionality Success Failure Success Failure Success Failure Failure Success Failure No Auditing Success UNCLASSIFIED .

A domain account logon was attempted. Pre-authentication failed. Authentication ticket request failed. Authentication of a local user on a local computer generates a logon event that is logged in the local Security log. A ticket granting service (TGS) ticket was granted. No account logoff events are logged. Windows Server 2003 with SP1 will log successes and failures for this event type. This event is generated on a Key Distribution Center (KDC) when a user enters an incorrect password. The Audit account logon events setting is configured to log Success values for the LC and EC baseline policies. the type of this event will be Success Audit for successful requests or Failure Audit for failed requests. This event is not generated by Windows Server 2003 with SP1. 673 674 675 676 677 678 681 682 683 . These event IDs can be useful when you want to create custom alerts to monitor any software suite. In Windows Server 2003 with SP1. An account was successfully mapped to a domain account.54 Windows Server 2003 Security Guide Audit account logon events This policy setting determines whether to audit each instance of a user who logs on to or off from another computer that validates the account. and to log both Success and Failure events for the SSLF baseline policy. Logon failure. A TGS ticket was not granted. such as Microsoft Operations Manager (MOM). This event is only generated by domain controllers. A user disconnected a Terminal Server session but did not log off. The following table includes the important security events that this policy setting logs in the Security log. A user has reconnected to a disconnected Terminal Server session. which uses a failure audit event with ID 672 for this case. Table 4.3 Account Logon Events Event ID 672 Event description An authentication service (AS) ticket was successfully issued and validated. A TGS is a ticket that is issued by the Kerberos version 5 TGS that allows a user to authenticate to a specific service in the domain. A security principal renewed an AS ticket or a TGS ticket. Other Windows versions use this event to indicate an authentication failure that was not due to incorrect credentials. This event is not generated by Windows Server 2003 with SP1. Authentication of a domain user account on a domain controller generates an account logon event that is logged in the domain controller's Security log.

or deleted. but could also indicate a deliberate attack. A password is set or changed. A global group account was changed. A member was added to a local group. and to log both Success and Failure values for the SSLF baseline policy.4 Account Management Events Event ID Event description 624 627 628 630 631 632 633 634 635 636 637 638 639 641 642 643 644 A user account was created. A global group was created. Examples of account management events include: • • • A user account or group is created. A local group was deleted. modifies. changed. Table 4. The logs can help you determine which accounts an attacker has modified and created. A new local group was created. A user account is renamed. UNCLASSIFIED . The following table includes the important security events that this policy setting records in the Security log. A member was removed from a global group. A member was added to a global group. account management failure events often indicate attempts by a lower-level administrator—or an attacker who has compromised a lower-level administrator's account—to elevate their privileges. These event IDs can be useful when you want to create custom alerts to monitor any software suite. For example. A local group account was changed. A member was removed from a local group. or enabled.Chapter 4: The Member Server Baseline Policy 55 Audit account management This policy setting determines whether to audit each account management event on a computer. A user password was set. Most operational management software can be customized with scripts to capture or flag events that are based on these event IDs. A user account was changed. A user account was automatically locked. A user account was deleted. The Audit account management setting is configured to log Success values for the LC and EC baseline policies. A global group was deleted. or deletes both domain and local accounts. Organizations need to be able to determine who creates. A domain policy was modified. Unauthorized changes could indicate mistaken changes made by an administrator who does not understand how to follow organizational policies. disabled. A user password was changed. such as MOM.

A security-disabled global group was changed. Note: SECURITY_DISABLED in the formal name means that this group cannot be used to grant permissions in access checks. 649 650 651 652 653 654 655 656 657 658 659 660 661 662 663 664 665 666 667 668 684 A local security group with security disabled was changed. A security-enabled universal group was changed. A security-disabled global group was created. A security-enabled universal group was deleted. A security-disabled local group was deleted. A local security group with security disabled was created. A security-disabled universal group was changed. A member was added to a security-disabled local security group. a background thread searches all members of administrative groups (such as domain.56 Windows Server 2003 Security Guide Event ID Event description 645 646 647 648 A computer account was created. . A computer account was changed. A member was added to a security-enabled universal group. A member was removed from a security-enabled universal group. 685 Name of an account was changed. A member was removed from a security-disabled global group. The security descriptor of administrative group members was set. A security-disabled universal group was created. and schema administrators) and applies a fixed security descriptor on them. A member was removed from a security-disabled local security group. A member was added to a security-disabled universal group. Note: Every 60 minutes on a domain controller. A security-disabled global group was deleted. A group type was changed. A security-disabled universal group was deleted. A member was removed from a security-disabled universal group. Audit logon events This policy setting determines whether to audit each instance of user logon and logoff from a computer. This event is logged. enterprise. A security-enabled universal group was created. A member was added to a security-disabled global group. A computer account was deleted. The Audit logon events setting generates records on domain controllers to monitor domain account activity and on local computers to monitor local account activity.

Main mode was terminated. The Audit logon events setting is configured to log Success values in the LC and EC baseline policies and to log both Success and Failure values for the SSLF policy.Chapter 4: The Member Server Baseline Policy 57 If you configure the Audit logon events setting to No auditing. The logon attempt failed for other reasons. A data channel was terminated. an event will be generated each time that someone logs on to the network. it is difficult or impossible to determine which users have either logged on or attempted to log on to computers in the organization. The Net Logon service is not active. If the user logs on to a local account and the Audit account logon events setting is Enabled. regardless of where the accounts reside on the network. The following table includes the important security events that this policy setting records in the Security log. A logon attempt was made using an expired account. Logon failure. A logon attempt was made using a disabled account. Logon failure. Logon failure. the reason for the logon failure may not be known. Logon failure. no audit record evidence will be available for analysis after a security incident takes place. Logon failure. Note: In some cases. Logon failure. A logon attempt was made outside the allowed time. Logon failure. Even if you do not modify the default values for this policy setting. or quick mode has established a data channel. The account was locked out at the time the logon attempt was made. Logon failure. The user attempted to log on with a password type that is not allowed. Main mode Internet Key Exchange (IKE) authentication was completed between the local computer and the listed peer identity (establishing a security association). The password for the specified account has expired. because of policy changes. 542 543 544 Main mode authentication failed because the peer did not provide a valid certificate or the signature was not validated. the user logon will generate two events. The logoff process was completed for a user. A user successfully logged on to a network.5 Audit Logon Events Event ID Event description 528 529 530 531 532 533 534 535 536 537 538 539 540 541 A user successfully logged on to a computer. UNCLASSIFIED . Note: This might occur because the time limit on the security association expired (the default is eight hours). Table 4. Logon failure. A logon attempt was made with an unknown user name or a known user name with a bad password. Logon failure. If you enable the Success value for the Audit logon events setting on a domain member. or peer termination. A logon attempt was made by a user who is not allowed to log on at the specified computer.

Logon failure. A user initiated the logoff process. IKE security association establishment failed because the peer sent a proposal that is not valid. Organizations should define only the actions they want enabled when SACLs are configured. The Audit object access setting determines whether to audit the event when a user accesses an object— for example. or group) to be audited. A user successfully logged on to a computer with explicit credentials while already logged on as a different user. Notification message that could indicate a possible denial-of-service (DoS) attack. A packet was received that contained data that is not valid. you might want to enable the Write and Append Data audit setting on executable files to track when they are changed or replaced. or both. an audit entry will be generated each time that a user successfully accesses an object with a specified SACL. . A failure occurred during an IKE handshake. you might want to track when sensitive documents are accessed or changed. because computer viruses. A user disconnected a terminal server session but did not log off. Similarly. registry key. A flag to indicate whether to audit failed access events. For example.58 Windows Server 2003 Security Guide Event ID Event description 545 546 Main mode authentication failed because of a Kerberos authentication protocol failure or a password that is not valid. The specific access type to be audited (called an access mask). and Trojan horses typically target executable files. successful access events. It appears on the terminal server. A SACL is comprised of access control entries (ACE). 547 548 549 550 551 552 682 683 Audit object access By itself. or printer—that has a specified system access control list (SACL). worms. a file. folder. Each ACE contains three pieces of information: • • • The security principal (user. A user has reconnected to a disconnected terminal server session. Note: This event is generated when a user is connected to a terminal server session over the network. The security identifier (SID) from a trusted domain does not match the account domain SID of the client. computer. Logon failure. If you configure the Audit object access setting to log Success values. an audit entry will be generated each time that a user unsuccessfully attempts to access an object with a specified SACL. If you configure this policy setting to log Failure values. this policy setting will not cause any events to be audited. All SIDs corresponding to untrusted namespaces were filtered out during an authentication across forests.

One or more certificate request attributes changed. However. Certificate Services revoked a certificate. Note: This event is used by file systems when the FILE_DELETE_ON_CLOSE flag is specified in Createfile(). Certificate Services published the CRL. The following table includes the important security events that this policy setting records in the Security log. Table 4. 568 569 570 571 572 772 773 774 775 776 777 778 779 780 781 782 783 784 An attempt was made to create a hard link to a file that is being audited. A permission associated with a handle was used. 564 565 567 A protected object was deleted. The Administrator Manager initialized the application. A handle to an object was closed. Certificate Services backup completed. UNCLASSIFIED . An attempt was made to open an object with the intent to delete it.6 Object Access Events Event ID Event description 560 562 563 Access was granted to an already existing object. Certificate Services restore completed. Access was granted to an object type that already exists. Certificate Services started. Certificate Services received a resubmitted certificate request. When the handle is used. Certificate Services backup started. The resource manager in Authorization Manager attempted to create a client context. up to one audit is generated for each of the permissions that were used. Certificate Services restore started.Chapter 4: The Member Server Baseline Policy 59 The Audit object access setting is configured to the default value of No auditing in the baseline policy for the LC and EC environments. A certificate request extension was made. Note: An event will be generated for every attempted operation on the object. Certificate Services received a request to publish the certificate revocation list (CRL). Note: A handle is created with certain granted permissions (such as Read and Write). The client context was deleted by the Authorization Manager application. this policy setting is configured to log Failure values in the baseline policy for the SSLF environment. A client attempted to access an object. The Certificate Manager denied a pending certificate request. Certificate Services received a request to shut down.

60 Windows Server 2003 Security Guide Event ID Event description 785 786 787 788 789 790 791 792 793 794 795 796 797 798 799 800 801 Certificate Services stopped. or Audit policies. Certificate Services approved a certificate request and issued a certificate. an audit entry will be generated for each failed change to user rights assignment policies. One or more rows have been deleted from the certificate database. trust policies. Certificate Services retrieved an archived key. Certificate Services imported and archived a key. Certificate Services denied a certificate request. The audit filter for Certificate Services changed. The recommended settings would allow you to you see any account privileges that an attacker attempts to elevate—for example. If you configure this policy setting to log Failure values. Certificate Services archived a key. Role separation enabled. Audit policy change This policy setting determines whether to audit every incident of a change to user rights assignment policies. trust policies or the Audit policy itself. . Certificate Services imported a certificate into its database. Certificate Services received a certificate request. The security permissions for Certificate Services changed. if they tried to add the Debug programs privilege or the Back up files and directories privilege. The certificate manager settings for Certificate Services changed. The Audit policy change setting is configured to log Success values in the baseline policy for all three environments that are defined in this guide. an audit entry will be generated for each successful change to user rights assignment policies. A property of Certificate Services changed. the Failure setting value does not capture meaningful events. Certificate Services published the certification authority (CA) certificate to Active Directory. The following table includes the important security events that this policy setting records in the Security log. A configuration entry changed in Certificate Services. Currently. trust policies. Certificate Services set the status of a certificate request to pending. or Audit policies. If you configure the Audit policy change setting to log Success values.

deleted. or modified in a single update of the forest trust information. An IPsec policy agent was disabled. A Kerberos version 5 policy changed. Audit policy was set on a per-user basis Audit policy was refreshed on a per-user basis. For example. Trusted forest information was modified. The event log service read the Security log configuration for a session. Note: See event description for event 769. all the generated event messages are assigned a single unique identifier called an operation ID. parameters such as DNS name. or modified entry.Chapter 4: The Member Server Baseline Policy 61 Table 4. If multiple entries are added. An IPsec policy agent encountered a potentially serious failure. One event message is generated for each added. A user right was removed. An Internet Protocol security (IPsec) policy agent started. Note: When a namespace element in one forest overlaps a namespace element in another forest. NetBIOS name and SID are not valid for an entry of type "TopLevelName. This functionality allows you to determine that the multiple generated event messages are the result of a single operation. Note: See event description for event 769. Not all parameters are valid for each entry type." 770 771 805 Trusted forest information was deleted. NetBIOS name. A trust relationship with another domain was created. fields such as DNS name. Note: This event message is generated when forest trust information is updated and one or more entries are added. System access was granted to an account. An audit policy was changed. A trust relationship with another domain was modified. A collision was detected between a namespace element in one forest and a namespace element in another forest. UNCLASSIFIED . Encrypted Data Recovery policy changed. deleted. name resolution ambiguity for namespace elements can result. Not all parameters are valid for each entry type. An IPsec policy agent changed.7 Audit Policy Change Events Event ID Event description 608 609 610 611 612 613 614 615 616 617 618 620 621 622 623 625 768 A user right was assigned. This overlap is also called a collision. and SID are not valid for an entry of type 'TopLevelName. A trust relationship with another domain was removed.' 769 Trusted forest information was added. For example. System access was removed from an account.

an audit entry is generated each time that the process that is being tracked succeeds. an audit entry will be generated each time that a user right is exercised unsuccessfully. The Audit privilege use setting is left at the default value of No auditing in the baseline policy for the LC and EC environments. and can often indicate an attempted security breach. The following table includes the important security events that this setting records in the Security log. Privileges were used on an already open handle to a protected object. Audit process tracking This policy setting determines whether to audit detailed tracking information for events such as program activation. Organizations should configure the Audit privilege use setting to Enable only if there is a specific business reason to do so. process exit. Table 4. Audits are not generated when the following user rights are exercised. even if you configure the Audit privilege use setting. A user attempted to perform a privileged system service operation. If you configure this policy setting to log Failure values. so it is typically configured to No auditing.8 Privilege Use Events Event ID Event description 576 577 578 Specified privileges were added to a user's access token. handle duplication. The Audit process tracking setting will generate a large number of events. this policy setting is configured to log Failure values in the baseline policy for the SSLF environment. and indirect object access. because these user rights generate many events in the Security log. If you configure the Audit privilege use setting to log Success values. Failed use of a user right is an indicator of a general network problem. an audit entry is generated each time that the process that is being tracked fails. However. you must enable the Audit: Audit the use of Backup and Restore privilege security option in Group Policy. an audit entry will be generated each time that a user right is exercised successfully. as it is in the baseline policy for all three . Note: This event is generated when the user logs on.62 Windows Server 2003 Security Guide Audit privilege use This policy setting determines whether to audit each exercise of a user right. If you configure this policy setting to log Success values. Performance of your computers would likely be affected if these user rights were audited: • • • • • • • Bypass traverse checking Debug programs Create a token object Replace process level token Generate security audits Back up files and directories Restore files and directories Note: If you wish to audit these user rights. If you configure this policy setting to log Failure values.

Chapter 4: The Member Server Baseline Policy 63 environments that are defined in this guide. an audit entry is generated when a system event is attempted unsuccessfully. (The default setting is 90 days. If you configure this policy setting to log Failure events. A data protection master key was backed up. UNCLASSIFIED . However. A user attempted to install a service. and Encrypting File System (EFS).) The key is usually backed up by a domain controller. A scheduler job was created. Note: The master key is used by the CryptProtectData and CryptUnprotectData routines. A trusted logon process has registered with the Local Security Authority. The following table includes the most useful successful events for this setting. an audit entry is generated when a system event is executed successfully. Internal resources that were allocated to queue of security event messages have been exhausted. An authentication package was loaded by the Local Security Authority. The master key is backed up each time a new one is created. Table 4. Windows is shutting down. 597 598 599 600 601 602 A data protection master key was recovered from a recovery server. Auditable data was protected. A process was assigned a primary token. The following table includes the important security events that this setting records in the Security log.10 System Event Messages for Audit System Events Event ID Event description 512 513 514 515 516 Windows is starting up. A process exited. Table 4. Indirect access to an object was obtained. and the loss of some security event messages has occurred.9 Process Tracking Events Event ID Event description 592 593 594 595 596 A new process was created. Auditable data was unprotected. this policy setting can be very helpful during an incident response because it provides a detailed log of the processes that are started and the time when each one was launched. If you configure this policy setting to log Success values. A handle to an object was duplicated. Audit system events This policy setting determines whether to audit when a user restarts or shuts down a computer or when an event occurs that affects either the computer’s security or the Security log.

Windows Server 2003 assigns different rights to built-in groups on member servers and domain controllers. Note: This audit typically appears twice. A notification package was loaded by the Security Accounts Manager. Windows Authorization Access Group. Members of this group can administer domain servers. but any domain-based Group Policy settings will override them the next time that the Group Policies are refreshed or reapplied.64 Windows Server 2003 Security Guide Event ID Event description 517 518 519 The audit log was cleared. • Member Servers • Power Users. TelnetClients. Members of this group have access to the computed tokenGroupsGlobalAndUniversal attribute on user objects. • • • Domain Controllers • • • The Guests group and the user accounts Guest and Support_388945a0 have unique SIDs between different domains. Members of this group have access to Terminal Server License Servers on the network. You can configure the user rights assignment settings in Windows Server 2003 with SP1 at the following location within the Group Policy Object Editor: Computer Configuration\Windows Settings\Security Settings\ Local Policies\User Rights Assignment The default user rights assignments are different for the various types of servers in your organization. A process is using an invalid local procedure call (LPC) port in an attempt to impersonate a client and reply or read from or write to a client address space. Members of this group have access to the Telnet server on the network. Server Operators. An example of a privilege is the right to shut down the computer. For example. HelpServicesGroup. Administrators still have the user right. (Similarities between built-in groups on different server types are not documented in the following list. Local administrators can make changes. Therefore. the policy templates can be edited individually to include the appropriate . Both types are assigned by administrators to individual users or groups as part of the security settings for the computer. The system time was changed. this Group Policy for user rights assignments may need to be modified on a computer on which only the specific target group exists. Possess most administrative powers with some restrictions. An example of a logon right is the right to log on to a computer interactively. The group for the Help and Support Center. 520 User Rights Assignments User rights assignments provide users and groups with logon rights or privileges on the computers in your organization. Alternatively. Note: Throughout this section. Power Users can run legacy applications in addition to applications that are certified for Windows Server 2003 with SP1 or Windows XP. Terminal Server License Services. "Not defined" applies only to users. Support_388945a0 is a member of this group by default.

and Guest. NETWORK SERVICE. Note: Because of the unique SIDs that exist between members of the Guests group. For a summary of the prescribed settings in this section. a domain controller Group Policy could be created on a domain controller in a test environment. This section provides details about the prescribed MSBP user rights assignment settings for all three environments that are defined in this guide. Authenticated Users.11 User Rights Assignments Setting Recommendations Setting Legacy Client Enterprise Client Specialized Security – Limited Functionality Administrators. Backup Operators. For information about the default settings and a detailed explanation of each of the settings that are discussed in this section. see the companion guide. Backup Operators. Power Users Administrators and Remote Desktop Users Not defined Not defined Not defined Not defined Administrators. Power Users Administrators and Remote Desktop Users Not defined Not defined Not defined Not defined Not defined Not defined Allow log on through Terminal Services Back up files and directories Bypass traverse checking Change the system time Create a pagefile Administrators Administrators Authenticated Users Administrators. For example. These settings are described in the "Additional Security Settings" section later in this chapter. see the Microsoft Excel workbook "Windows Server 2003 Security Guide Settings. ENTERPRISE DOMAIN CONTROLLERS No one Administrators. Additional information about each setting is provided in the subsections that follow the table. Threats and Countermeasures: Security Settings in Windows Server 2003 and Windows XP.Chapter 4: The Member Server Baseline Policy 65 groups within the . The following table includes the user rights assignments setting recommendations for all three environments that are defined in this guide. Table 4." which is included with the downloadable version of this guide. LOCAL SERVICE Administrators Access this computer Not defined from the network Not defined Act as part of the operating system Adjust memory quotas for a process Allow log on locally Not defined Not defined Not defined Not defined Administrators. some settings that are used to harden servers cannot be automated by means of the security templates that are included with this guide.inf files. SERVICE Create a token object Not defined Create global objects Not defined UNCLASSIFIED . LOCAL SERVICE Administrators No one Administrators. Support_388945a0.

Guests. Support_388945a 0. Support_388945a0. Guests. all NONOperating System service accounts Guests. SERVICE Administrators Administrators No one Not defined NETWORK SERVICE Administrators Administrators Administrators Log on as a batch job Not defined Log on as a service Manage auditing and security log Modify firmware environment values Perform volume maintenance tasks Not defined Not defined Not defined Not defined . Support_388945a0. No one Guests. all NON-Operating System service accounts Guests. Support_388945a0. Guests Administrators Create permanent shared objects Debug programs Deny access to this computer from the network Not defined Not defined ANONOYMOUS LOGON. Support_388945a 0 Not defined Not defined Guests Not defined Administrators ANONOYMOUS LOGON. Support_388945a 0 Not defined Not defined Guests Not defined Deny logon as a batch job Deny logon as a service Deny logon locally Deny logon through Terminal Services Enable computer and Not defined user accounts to be trusted for delegation Force shutdown from Not defined a remote system Generate security audits Impersonate a client after authentication Increase scheduling priority Load and unload device drivers Lock pages in memory Not defined Not defined Not defined Not defined Not defined Not defined Not defined Not defined Not defined Not defined Not defined Not defined Not defined Not defined Not defined Not defined Administrators NETWORK SERVICE.66 Windows Server 2003 Security Guide Setting Legacy Client Enterprise Client Specialized Security – Limited Functionality No one No one ANONOYMOUS LOGON. all NONOperating System service accounts Guests. Guests. Support_388945a 0. LOCAL SERVICE Administrators.

Act as part of the operating system This policy setting determines whether a process can assume the identity of any user and thereby gain access to the resources that the user is authorized to access. NETWORK SERVICE Administrators Administrators No one Administrators Profile single process Not defined Profile system performance Remove computer from docking station Replace a process level token Restore files and directories Shut down the system Not defined Not defined Not defined Not defined Not defined Not defined Not defined Not defined Not defined Not defined Not defined Not defined Not defined Synchronize Not defined directory service data Take ownership of files or other objects Not defined Access this computer from the network This policy setting determines which users and groups are allowed to connect to the computer over the network. although permissions that are assigned to the Everyone security group in Windows Server 2003 with SP1 no longer provide access to anonymous users. Common Internet File System (CIFS). the Everyone security group is denied the Access this computer from the network user right in the SSLF environment. which denies this user right to all security groups and accounts. only low-level authentication services require this user right. The Access this computer from the network setting is configured to Not defined for the LC and EC environments.Chapter 4: The Member Server Baseline Policy 67 Setting Legacy Client Enterprise Client Specialized Security – Limited Functionality Administrators Administrators Administrators LOCAL SERVICE. Authenticated Users. including server message block (SMB)-based protocols. and Component Object Model Plus (COM+). For this reason. which helps guard against attacks that target guest access to the domain. However. guest groups and accounts can still be assigned access through the Everyone security group. for the SSLF environment this policy setting is configured to a null value or blank. The Act as part of the operating system user right is configured to Not defined for the LC and EC environments. HTTP. Typically. and ENTERPRISE DOMAIN CONTROLLERS groups are assigned this user right in the SSLF environment. It is required by a number of network protocols. NetBIOS. UNCLASSIFIED . Only the Administrators. However.

For the SSLF environment. It is used only when an application attempts access through the NTFS backup application programming interface (API) with a backup utility such as NTBACKUP. An attacker could exploit this user right to launch a DoS attack. The Bypass traverse checking setting is configured to Not defined for the LC and EC environments. However. The Back up files and directories setting is configured to Not defined for the LC and EC environments. Allow log on locally This policy setting determines which users can log on interactively to the specified computer. but it can be abused. Any account with this user right could be used to log on to the computer’s local console. This user right is assigned to only the Administrators group for the SSLF environment. only members of the Administrators group are assigned this user right. This user right is assigned to only the Authenticated Users group for the SSLF environment. The Allow log on locally user right is restricted to the Administrators. NETWORK SERVICE. Otherwise. This user right is assigned to only the Administrators group for the SSLF environment. and Power Users groups for the LC and EC environments. and LOCAL SERVICE for the SSLF environment. normal file and directory permissions apply. it only allows the user to traverse its directories. Bypass traverse checking This policy setting determines whether users can pass through folders without being checked for the special “Traverse Folder” access permission when they navigate an object path in the NTFS file system or in the registry. The Adjust memory quotas for a process setting is configured to Not defined for the LC and EC environments. The user right does not allow the user to list the contents of a folder. Allow log on through Terminal Services This policy setting determines which users or groups have permission to log on as a Terminal Services client. . For the LC and EC environments. Backup Operators. It is useful for computer tuning purposes. Back up files and directories This policy setting determines whether users can circumvent file and directory permissions to back up the computer. Logons that are initiated with the CTRL+ALT+DEL key combination on the keyboard require the user to have this user right. this user right is assigned to the Administrators group. the Allow log on through Terminal Services user right is restricted to the Administrators and Remote Desktop Users groups. which helps prevent logon by unauthorized users who may want to elevate their privileges or introduce viruses into the environment.68 Windows Server 2003 Security Guide Adjust memory quotas for a process This policy setting determines whether users can adjust the maximum amount of memory that is available to a process.EXE.

it is typically not necessary to specifically assign this user right to users. for the SSLF environment this policy setting is UNCLASSIFIED . which could make it impossible for users to log on to the domain or to obtain authorization to access domain resources after they log on. which the process can then use to gain access to any local resources when it uses NtCreateToken() or other token-creation APIs. this user right is only assigned to the SERVICE and Administrators groups. the logs will not reflect the actual time that events occurred. For the SSLF environment. The Create permanent shared objects setting is configured to Not defined for the LC and EC environments. The Create a token object setting is configured to Not defined for the LC and EC environments. It is useful to kernel-mode components that extend the object namespace. However. However. This user right is assigned to only the Administrators group for the SSLF environment. Note: Discrepancies between the time on the local computer and on the domain controllers may cause problems for the Kerberos authentication protocol. printers. The Create global objects setting is configured to Not defined for the LC and EC environments. and such components have this user right inherently. which are time stamped by the computer's internal clock. which means no security group or account will have this user right. Create a token object This policy setting determines whether a process can create a token. which means that they can create shared folders. If the computer’s time is changed. The Change the system time setting is configured to Not defined for the LC and EC environments.Chapter 4: The Member Server Baseline Policy 69 Change the system time This policy setting determines which users can change the time and date on the internal clock of the computer. Create a pagefile This policy setting determines whether users can create and change the size of pagefiles. the user specifies a page file size for a particular drive in the Performance Options box that is located on the Advanced tab of the System Properties dialog box. Create permanent shared objects This policy setting determines whether users can create directory objects in the object manager. and other objects. To perform this task. Create global objects This policy setting allows users to create global objects that are available to all sessions. Users can still create objects that are specific to their own session without being assigned this user right. The Create a pagefile setting is configured to Not defined for the LC and EC environments. for the SSLF environment this policy setting is configured to a null value or blank. Therefore. This user right is assigned to only the Administrators group and the Local Service account for the SSLF environment. Users who are assigned this user right can affect the appearance of event logs.

which could be used to allow accounts to schedule jobs that consume excessive . see the Microsoft Knowledge Base article "How to apply more restrictive security settings on a Windows Server 2003-based cluster server" at http://support. This policy setting determines which accounts will not be able to log on to the computer as a batch job. The Debug programs setting is configured to Not defined for the LC environment. Removal of this user right may also interfere with the Cluster Service.microsoft. It provides complete access to sensitive and critical operating system components.inf security template. Accounts that use the Task Scheduler to schedule jobs need this user right. and COM+. Deny access to this computer from the network Note: ANONOYMOUS LOGON. Deny log on as a batch job Note: ANONOYMOUS LOGON. The Deny log on as a batch job user right overrides the Log on as a batch job user right. including SMB-based protocols. and all NONoperating system service accounts are not included in the . Debug programs This policy setting determines which users can attach a debugger to any process or to the kernel. Programs should not be debugged in production environments except in extreme circumstances. These accounts and groups have unique SIDs for each domain in your organization. patches can still be manually downloaded and installed or applied through other means. see the “Manual Hardening Procedures” section near the end of this chapter.bat) file. CIFS. For more information. Support_388945a0. However. For more information. but rather a batch-queue facility. Support_388945a0.70 Windows Server 2003 Security Guide configured to a null value or blank. they must be added manually. Therefore. For all three environments that are defined in this guide. It denies a number of network protocols. and all NONoperating system service accounts are not included in the . such as when there is a need to troubleshoot a business-critical application that cannot be effectively assessed in the test environment. Guest. Note: On Windows Server 2003 with SP1. for the SSLF environment this policy setting is configured to a null value or blank. this user right is assigned only to the Administrators group. HTTP. which means no security group or account will have this user right. Support_388945a0. the Deny access to this computer from the network user right is assigned to the Guests group. Built-in Administrator. For more information. Built-in Administrator. Configuration of this policy setting for other groups could limit the abilities of users who are assigned to specific administrative roles in your environment. see the “Manual Hardening Procedures” section near the end of this chapter. This policy setting supersedes the Access this computer from the network user right when a user account is subject to both settings. Guest. You should verify that delegated tasks will not be negatively affected. This policy setting determines which users will not be able to access a computer over the network. removal of the Debug programs user right may result in an inability to use the Windows Update service. However. These accounts and groups have unique SIDs for each domain in your organization. A batch job is not a batch (. and all service accounts that are not part of the operating system. ANONOYMOUS LOGON. Therefore. For the EC environment.inf security template.com/?kbid=891597. they must be added manually. which means no security group or account will have this user right. NetBIOS.

the Deny log on as a batch job user right is assigned to the Guests group and the Support_388945a0 user account in the baseline policy for all three environments that are defined in this guide. there is no need to use local accounts to access the server from the network. this user right is assigned only to the Guests group and the Support_388945a0 user account for the SSLF environment. For more information. For this reason. Deny logon locally This policy setting determines whether users can log on directly at the computer's keyboard. UNCLASSIFIED . The Enable computer and user accounts to be trusted for delegation setting is configured to Not defined for the LC and EC environments. However. for the SSLF environment this policy setting is configured to a null value or blank. For all three environments that are defined in this guide. which means no security group or account will have this user right. Failure to assign this user right to the recommended accounts can be a security risk. Therefore. they must be added manually. Misuse of this user right could cause unauthorized impersonation of other users on the network. This policy setting determines whether users can log on as Terminal Services clients. Deny logon as a service This policy setting determines whether services can be launched in the context of the specified account. These accounts and groups have unique SIDs for each domain in your organization. Support_388945a0. However. Failure to assign this user right to the recommended accounts can be a security risk. and all NONoperating system service accounts are not included in the . Guest. Enable computer and user accounts to be trusted for delegation This policy setting determines whether users can change the Trusted for Delegation setting on a user or computer object in Active Directory. However. Deny log on through Terminal Services Note: ANONOYMOUS LOGON. this user right is assigned only to the Administrators group for the SSLF environment.inf security template. see the “Manual Hardening Procedures” section near the end of this chapter. Domain accounts can access the server for administration and end-user processing. Users or computers that are assigned this user right must also have write access to the account control flags on the object. Such an occurrence could cause a DoS condition. After the baseline member server is joined to a domain environment. the Guests group is assigned the Deny log on through Terminal Services user right so that they cannot log on through Terminal Services. The Deny logon as a service setting is configured to Not defined for the LC and EC environments. The Deny logon locally setting is configured to Not defined for the EC and LC environments.Chapter 4: The Member Server Baseline Policy 71 system resources. Built-in Administrator.

72 Windows Server 2003 Security Guide Force shutdown from a remote system This policy setting determines whether users can shut down computers from remote locations on the network. A user who is assigned the Load and unload device drivers user right can install . The Generate security audits setting is configured to Not defined for the LC and EC environments. Therefore. The Force shutdown from a remote system setting is configured to Not defined for the LC and EC environments. an attacker could use this capability to remove evidence of their unauthorized activities. accounts that can write to the Security log could be used by an attacker to fill that log with meaningless events. A user who is assigned this user right can increase the scheduling priority of a process to Real-Time and leave little processing time for all other processes.cab file on the computer. this user right is assigned only to the Administrators group for the SSLF environment. Load and unload device drivers This policy setting determines which users can dynamically load and unload device drivers. If this user right is required for this type of impersonation. However. this user right should be tightly restricted. but it might be required by software development tools. However. This user right is not required by administrative tools that are supplied with the operating system. this user right is assigned only to the Administrators group and SERVICE for the SSLF environment. Increasing relative priority within a priority class is not a privileged operation. which could cause a DoS condition. Impersonate a client after authentication This policy setting determines whether applications that run on behalf of an authenticated user can impersonate clients. If you configure the computer to shut down when it is unable to write to the Security log. If you configure the computer to overwrite events as needed. The Increase scheduling priority setting is configured to Not defined for the LC and EC environments. unauthorized users will not be able to convince a client to connect—for example. Device drivers run as highly privileged code. This user right is not required if a signed driver for the new hardware already exists in the Driver. The unauthorized user could use this capability to elevate their permissions to administrative or system levels. Increase scheduling priority This policy setting determines whether users can increase the base priority class of a process. an attacker could use this capability to create a DoS condition. The Impersonate a client after authentication setting is configured to Not defined for the LC and EC environments. Generate security audits This policy setting determines whether a process can generate audit records in the Security log. This user right is assigned only to the Administrators group for the SSLF environment. This user right is assigned only to the NETWORK SERVICE and LOCAL SERVICE accounts for the SSLF environment. Because the Security log can be used to trace unauthorized access. Any user who can shut down a computer could cause a DoS condition. by remote procedure call (RPC) or named pipes—to a service that they created to impersonate that client.

microsoft. Anyone with this user right can clear the Security log and possibly erase important evidence of unauthorized activity. For details. Log on as a service This policy setting determines whether a security principal can log on as a service. Services can be configured to run under the Local System.Chapter 4: The Member Server Baseline Policy 73 malicious code that masquerades as a device driver (unintentionally or otherwise). However. which could lead to data corruption or a DoS condition.com/technet/prodtechnol/exchange/guides/E2k3ADPerm/ 110e37bf-a68c-47bb-b4d5-1cfd539d9cba. this user right is assigned only to Administrators in the SSLF environment. Lock pages in memory This policy setting determines whether a process can keep data in physical memory. As with all of the settings that are recommended in this guide.) The Load and unload device drivers setting is configured to Not defined for the LC and EC environments. see Exchange Server 2003 Deployment online at www.mspx. Any service that runs under a separate user account must be assigned this user right. which means no security group or account will have this user right. The Log on as a service setting is configured to Not defined for the LC and EC environments. (Administrators should exercise greater care and install only drivers with verified digital signatures. Active Directory objects. either by a process through an API or by a user through System Properties. Manage auditing and security log This policy setting determines whether users can specify object access auditing options for individual resources such as files. However. Local Service. which have built-in rights to log on as a service. this user right is assigned to only the Administrators group for the SSLF environment. Users who are assigned this user right can assign physical memory to several processes and leave little or no random access memory (RAM) for other processes. this user right is assigned only to the Network Service account for the SSLF environment. and registry keys. Such an occurrence could significantly degrade performance. or Network Service accounts. for the SSLF environment this policy setting is configured to a null value or blank. Anyone who is assigned this user right could configure the settings of a hardware component to cause it to fail. This user right is powerful and should be closely guarded. Modify firmware environment values This policy setting determines whether the computer’s environment variables can be modified. The Manage auditing and security log setting is configured to Not defined for the LC and EC environments. which prevents the computer from paging the data to virtual memory on disk. Important: Microsoft Exchange Server 2003 modifies this user right in the Default Domain Controller Policy during the installation process. However. UNCLASSIFIED . However. If you use Exchange Server 2003 you will need to adjust the value of this setting for the domain controllers. Exchange will frequently record error messages to the Application event log. If this user right is restricted to the Administrator’s group. which could lead to a DoS condition. The Lock pages in memory setting is configured to Not defined for the LC and EC environments. you may need to make some adjustments to allow your organization’s applications to function normally.

Anyone who is assigned this user right can remove a portable computer from its docking station. The Remove computer from docking station setting is configured to Not defined for the LC and EC environments. However. Remove computer from docking station This policy setting determines whether users of portable computers can click Eject PC on the Start menu to undock the computers. For greater security. However. Replace a process level token This policy setting determines whether a parent process can replace the access token that is associated with a child process. such as antivirus software or an intrusion detection system. ensure that the Power Users group is not assigned this user right in the SSLF environment. an intrusion detection system. The Profile single process setting is configured to Not defined for the LC and EC environments. in that an attacker with this privilege could monitor a computer's performance to help identify critical processes that they might want to attack directly. such as antivirus software. or other users logged onto a computer. Profile single process This policy setting determines which users can use performance monitoring tools to monitor the performance of non-system processes. The Perform volume maintenance tasks setting is configured to Not defined for the LC and EC environments. This user right presents a moderate vulnerability. in that an attacker with this capability could monitor a computer's performance to help identify critical processes that they might want to attack directly. this user right is assigned to only the Administrators group for the SSLF environment. Perform volume maintenance tasks This policy setting determines whether a non-administrative or remote user can manage volumes or disks. Profile system performance This policy setting is similar to the previous setting. This user right presents a moderate vulnerability. this user right is assigned to only the Administrators group for the SSLF environment. However.74 Windows Server 2003 Security Guide The Modify firmware environment values setting is configured to Not defined for the LC and EC environments. . this user right is assigned to only the Administrators group for the SSLF environment. this user right is assigned only to the Administrators group for the SSLF environment. A user who is assigned this user right could delete a volume and cause the loss of data or a DoS condition. However. It determines whether users can monitor the performance of system processes. The Profile system performance setting is configured to Not defined for the LC and EC environments. An attacker could also determine what processes run on the computer to identify countermeasures to avoid. An attacker could also determine what processes run on the computer so that they could identify countermeasures to avoid. only members of the Administrators group should have this capability in such an environment.

However. registry. printers. However. NTFS file system (NTFS) files. which means no security group or account will have this user right. you should assign this user right only to the local Administrators group for the SSLF environment. this user right is assigned to only the LOCAL SERVICE and NETWORK SERVICE accounts for the SSLF environment.Chapter 4: The Member Server Baseline Policy 75 The Replace a process level token setting is configured to Not defined for the LC and EC environments. However. you should be very careful about the accounts and groups that you allow to shut down a domain controller. only the Administrators group is assigned this user right for the SSLF environment. regardless of the protection on the objects and properties. and threads. only the Administrators group is assigned this user right for the SSLF environment. Shut down the system This policy setting determines which locally logged on users can shut down the operating system with the Shut Down command. Security Options The policy settings in the Security Options section of Group Policy are used to enable or disable capabilities and features such as floppy disk drive access. The default configuration of the Synchronize directory service data setting is Not defined. Take ownership of files or other objects This policy setting determines whether users can take ownership of any securable object in the network. File restoration tasks are usually performed by administrators or members of another specifically delegated security group. Synchronize directory service data This policy setting determines whether a process can read all objects and properties in the directory. and other persistent objects permissions when they restore backed up files and directories. However. including Active Directory objects. The Restore files and directories setting is configured to Not defined for the LC and EC environments. This user right is required to use LDAP directory synchronization (Dirsync) services. processes. services. Even though a system shutdown requires the ability to log on to the server. Restore files and directories This policy setting determines which users can bypass file. However. directory. which is sufficient for the LC and EC environments. and folders. and logon prompts. Because misuse of this capability could cause a DoS condition. especially for highly sensitive servers and domain controllers. CD-ROM drive access. for the SSLF environment this policy setting is configured to a null value or blank. The Take ownership of files or other objects setting is configured to Not defined for the LC and EC environments. The Shut down the system setting is configured to Not defined for the LC and EC environments. the ability to shut down domain controllers should be limited to a very small number of trusted administrators. It also determines which users can set any valid security principal as the owner of an object. registry keys. These policy settings are also used to configure various other UNCLASSIFIED .

The tables in each of the following sections summarize the recommended settings for the different types of security option settings. You can configure the security options settings in Windows Server 2003 with SP1 at the following location within the Group Policy Object Editor: Computer Configuration\Windows Settings\Security Settings\ Local Policies\Security Options Not all of the settings that are included in this section exist on all types of computers. such as those for the digital signing of data. Accounts Settings Table 4. The following sections provide information about the prescribed MSBP security options settings for all three environments that are defined in this guide. Threats and Countermeasures: Security Settings in Windows Server 2003 and Windows XP." which is included with the downloadable version of this guide. see the companion guide. the Administrator account is always enabled. and how driver installation works. The Accounts: Guest account status setting is configured to Disabled in the baseline policy for all three environments that are defined in this guide.12 Security Options: Accounts Setting Recommendations Setting Administrator account status Guest account status Legacy Client Not defined Disabled Enterprise Client Not defined Disabled Enabled Specialized Security – Limited Functionality Enabled Disabled Enabled Limit local account use of Enabled blank passwords to console logon only Accounts: Administrator account status This policy setting enables or disables the Administrator account during normal operation. The Accounts: Administrator account status setting is configured to Not defined for the LC and EC environments and to Enabled for the SSLF environment. When you start a computer in safe mode. see the Microsoft Excel workbook "Windows Server 2003 Security Guide Settings. Detailed information about the settings is provided in the subsections that follow each table. For information about the default configuration and a detailed explanation of each of the settings. the settings that comprise the Security Options portion of Group Policy that are defined in this section may need to be manually modified on computers in which these settings are present to make them fully operable. . For a summary of the prescribed settings. Accounts: Guest account status This policy setting determines whether the Guest account is enabled or disabled. administrator and guest account names. This account allows unauthenticated network users to log on as Guest and gain access to the computer. Therefore. regardless of this setting.76 Windows Server 2003 Security Guide settings.

UNCLASSIFIED . Audit Settings Table 4. which would cause servers to respond slowly and the Security log to record numerous events of little significance. Note: Changes to the configuration of this policy setting will not take effect until you restart Windows Server 2003. and local accounts that are not password protected will only be able to log on while physically located at the keyboard of the computer. a large number of audit events will be generated. Therefore. If this policy setting is enabled.Chapter 4: The Member Server Baseline Policy 77 Accounts: Limit local account use of blank passwords to console logon only This policy setting determines whether local accounts that are not password protected can be used to log on from locations other than the physical computer console. a large number of security events could be generated. If you enable this policy setting.13 Security Options: Audit Setting Recommendations Setting Audit the access of global system objects Audit the use of Backup and Restore privilege Shut down system immediately if unable to log security audits Legacy Client Disabled Disabled Disabled Enterprise Client Disabled Disabled Disabled Specialized Security – Limited Functionality Disabled Disabled Enabled Audit: Audit the access of global system objects This policy setting audits the access of global system objects when it is in effect. If both the Audit: Audit the access of global system objects and the Audit object access audit policy settings are enabled. The Accounts: Limit local account use of blank passwords to console logon only setting is configured to the default value of Enabled in the baseline policy for all three of the environments that are defined in this guide. including Backup and Restore. Audit: Audit the use of Backup and Restore privilege This policy setting determines whether to audit the use of all user privileges. when the Audit privilege use policy setting is in effect. the Audit: Audit the use of Backup and Restore privilege setting is configured to the default value of Disabled in the baseline policy for all three environments that are defined in this guide. Note: Changes to the configuration of this policy setting will not take effect until you restart Windows Server 2003. local accounts with nonblank passwords will not be able to log on to the network from a remote client. The Audit: Audit the access of global system objects setting is configured to the default value of Disabled in the baseline policy for all three environments that are defined in this guide.

this policy setting is configured to Enabled in the baseline policy for the SSLF environment because the additional administrative overhead was deemed acceptable to prevent the deletion of events from the Security log unless an administrator specifically chooses to do so. Only administrators should be able to eject removable media on servers. The amount of administrative overhead that was required to enable the Audit: Shut down system immediately if unable to log security audits setting in the LC and EC environments was determined to be too great. Therefore. .78 Windows Server 2003 Security Guide Audit: Shut down system immediately if unable to log security audits This policy setting determines whether the computer shuts down immediately if it is unable to log security events. If you disable this policy setting. a user who is not logged on must be assigned the Remove computer from docking station user right. Devices: Allowed to format and eject removable media This policy setting determines who can format and eject removable media. You can enable this policy setting to eliminate a logon requirement and allow use of an external hardware eject button to undock the computer. Devices Settings Table 4. The Devices: Allow undock without having to log on setting is configured to Disabled in the baseline policy for all three environments that are defined in this guide. However. this policy setting is configured to Disabled in the baseline policy for those environments.14 Security Options: Devices Setting Recommendations Setting Allow undock without having to log on Allowed to format and eject removable media Prevent users from installing printer drivers Legacy Client Disabled Administrators Enabled Enterprise Client Disabled Administrators Enabled Not defined Specialized Security – Limited Functionality Disabled Administrators Enabled Disabled Restrict CD-ROM access Not defined to locally logged-on user only Restrict floppy access to locally logged-on user only Unsigned driver installation behavior Not defined Not defined Disabled Warn but allow installation Warn but allow installation Warn but allow installation Devices: Allow undock without having to log on This policy setting determines whether a portable computer can be undocked without the user having to log on to the computer.

In the baseline policy for the SSLF environment. The Devices: Unsigned driver installation behavior setting can be used to prevent the installation of drivers that have not been certified to run on Windows Server 2003 with SP1. this policy setting is configured to Disabled. In the baseline policy for the SSLF environment. If you enable this policy setting. When this policy setting is enabled and no one is logged on interactively. One potential problem with this configuration is that unattended installation scripts will fail when they attempt to install unsigned drivers. the CD-ROM is accessible over the network. Devices: Restrict CD-ROM access to locally logged-on user only This policy setting determines whether a CD-ROM is accessible to both local and remote users simultaneously. If you enable this policy setting. the floppy media is accessible over the network. the recommended value for the Devices: Allowed to format and eject removable media setting is the default value of Administrators in the baseline policy for all three environments that are defined in this guide. Devices: Restrict floppy access to locally logged-on user only This policy setting determines whether removable floppy media are accessible to both local and remote users simultaneously. The Devices: Restrict floppy access to locally logged-on user only setting is configured to Not defined in the baseline policy for the LC and EC environments. UNCLASSIFIED . Devices: Unsigned driver installation behavior This policy setting determines what happens when an attempt is made to install a device driver (by means of Setup API) that has not been approved and signed by the Windows Hardware Quality Lab (WHQL). However. this policy setting is configured to Disabled. The Devices: Restrict CD-ROM access to locally logged-on user only setting is configured to Not defined in the baseline policy for the LC and EC environments. this policy setting is configured to Warn but allow installation in the baseline policy for all three environments that are defined in this guide. If you disable this policy setting. Devices: Prevent users from installing printer drivers For a computer to print to a network printer. If this policy setting is enabled and no one is logged on interactively. it must have the driver for that network printer installed. Depending on how you configure it. The Devices: Prevent users from installing printer drivers setting is configured to the default value of Enabled in the baseline policy for all three environments that are defined in this guide. If you enable the Devices: Prevent users from installing printer drivers setting. only those in the Administrators or Power Users groups or those with Server Operator privileges are allowed to install a printer driver to add a network printer.Chapter 4: The Member Server Baseline Policy 79 Therefore. only the interactively logged-on user is allowed to access removable floppy media. this policy setting will prevent the installation of unsigned drivers or warn the administrator that an unsigned driver is about to be installed. only the interactively logged-on user is allowed to access removable CD-ROM media. any user can install a printer driver.

the domain member will request encryption of all secure channel traffic. If a computer is set to always encrypt or sign secure channel data. If you enable this policy setting.80 Windows Server 2003 Security Guide Domain Member Settings Table 4.0 with Service Pack 6a or la more recent version of Windows. The Domain member: Digitally encrypt or sign secure channel data (always) setting is configured to Disabled in the baseline policy for the LC environment and to Enabled for the EC and SSLF environments. all domain controllers that constitute the member’s domain must run Windows NT 4. the domain member will not be allowed to negotiate secure channel encryption. Note: To take advantage of this setting on member workstations and servers. Domain member: Digitally encrypt secure channel data (when possible) This policy setting determines whether a domain member may attempt to negotiate encryption for all secure channel traffic that it initiates. Also. this policy setting is not supported in Windows 98 Second Edition clients unless they have the Dsclient installed. the Domain member: Digitally encrypt secure channel data (when possible) setting is configured to Enabled in the baseline policy for all three environments that are defined in this guide. or Windows Server 2003) session key Legacy Client Disabled Enabled Enabled Disabled 30 days Enabled Enterprise Specialized Security – Client Limited Functionality Enabled Enabled Enabled Disabled 30 days Enabled Enabled Enabled Enabled Disabled 30 days Enabled Domain member: Digitally encrypt or sign secure channel data (always) This policy setting determines whether all secure channel traffic that is initiated by the domain member must be signed or encrypted. then it cannot establish a secure channel with a domain controller that cannot sign or encrypt all secure channel traffic. If you disable this policy setting. Therefore. Windows XP. .15 Security Options: Domain Member Setting Recommendations Setting Digitally encrypt or sign secure channel data (always) Digitally encrypt secure channel data (when possible) Digitally sign secure channel data (when possible) Disable machine account password changes Maximum machine account password age Require strong (Windows 2000.

but is not available through the Security Configuration Manager tools on these computers. It also applies to computers that run Windows 2000. Requirement of a signature protects the traffic from modification by anyone who might capture the data. If you enable this policy setting. the domain member is required to negotiate key strength with the domain controller. an attacker will have more time to undertake a brute force attack and guess the password of one or more computer accounts. The Domain member: Digitally sign secure channel data (when possible) setting is configured to Enabled in the baseline policy for all three environments that are defined in this guide. If you disable this policy setting. Computers that are no longer able to automatically change their account passwords are at risk of attack by someone who has determined the password for the computer's domain account. Therefore. If you enable this policy setting. Session keys that are used to establish secure channel communications between domain controllers and member computers are much stronger in Windows 2000 than they were in previous Microsoft operating systems. because the three security environments described in this guide contain Windows 2000 domain controllers or later. the Domain member: Require strong UNCLASSIFIED . Domain member: Require strong (Windows 2000 or later) session key This policy setting determines whether 128-bit key strength is required for encrypted secure channel data. the Domain member: Maximum machine account password age setting is configured to 30 days in the baseline policy for all three environments that are defined in this guide. Therefore. which is every 30 days by default.Chapter 4: The Member Server Baseline Policy 81 Domain member: Digitally sign secure channel data (when possible) This policy setting determines whether a domain member may attempt to negotiate a signature for all secure channel traffic that it initiates. Therefore. or if it is set to 0 so that the computers no longer change their passwords. If you disable this policy setting. Domain member: Disable machine account password changes This policy setting determines whether a domain member may periodically change its computer account password. a secure channel will not be able to be established without 128-bit encryption. the domain member will be able to change its computer account password as specified by the Domain Member: Maximum machine account password age setting. By default. Domain member: Maximum machine account password age This policy setting determines the maximum allowable age for a computer account password. the domain member will not be able to change its computer account password. If this interval is increased significantly. the domain members automatically change their domain passwords every 30 days. the Domain member: Disable machine account password changes setting is configured to Disabled in the baseline policy for all three environments that are defined in this guide.

) (Consult with the relevant people in your organization.) 0 Enabled Disabled (Consult with the relevant people in your organization.16 Security Options: Interactive Logon Setting Recommendations Setting Display user information when the session is locked Do not display last user name Do not require CTRL+ALT+DEL Message text for users attempting to log on Message title for users attempting to log on Number of previous logons to cache (in case domain controller is not available) Prompt user to change password before expiration Require Domain Controller authentication to unlock workstation Require smart card Smart card removal behavior Legacy Client Not defined Enterprise Client Not defined Specialized Security – Limited Functionality User display name. intruders will not be able to collect account names visually from the screens of desktop or laptop computers in your organization. domain and user names Enabled Disabled (Consult with the relevant people in your organization.) (Consult with the relevant people in your organization. Interactive Logon Settings Table 4. .) (Consult with the relevant people in your organization.) 1 Enabled Disabled (Consult with the relevant people in your organization. If you enable this policy setting.82 Windows Server 2003 Security Guide (Windows 2000 or later) session key setting is configured to Enabled in the baseline policy for all three environments. Note: If you enable this policy setting you will not be able to join computers that run Windows 2000 to Windows NT 4.0 domains.) 0 14 days 14 days 14 days Enabled Enabled Enabled Not defined Not defined Not defined Lock Workstation Disabled Lock Workstation Interactive logon: Display user information when the session is locked This policy setting determines whether the account name of the last user to log on to the client computers in your organization will display in each computer's respective Windows logon screen.

the Interactive logon: Message title for users attempting to log on setting is recommended. The Interactive logon: Message text for users attempting to log on security option setting is recommended. this text is used for legal reasons—for example. The Interactive logon: Do not display last user name setting is configured to Enabled in the baseline server policy for all three environments that are defined in this guide. If you enable this policy setting. If you disable this policy setting. to warn users about the ramifications of unauthorized access. The Interactive logon: Do not require CTRL+ALT+DEL setting is configured to Disabled in the baseline policy for all three environments that are defined in this guide to decrease the chance of an attacker being able to intercept user passwords by means of a Trojan horse program. Interactive logon: Message title for users attempting to log on This policy setting allows a title to be specified in the title bar of the interactive logon dialog box that displays when users log on to the computer. all users will be required to press CTRL+ALT+DEL before they log on to Windows (unless they use a smart card for Windows logon). Therefore. It is configured to User display name. Interactive logon: Message text for users attempting to log on This policy setting specifies a text message that displays to users when they log on. Typically. domain and user names in the baseline server policy for the SSLF environment. Interactive logon: Do not display last user name This policy setting determines whether the name of the last user to log on to the computer is displayed in the Windows logon screen. You should consult with the relevant people in your organization to determine what this text should say. You should consult with the relevant people in your organization to determine what this text should say Note: Both the Interactive logon: Message text for users attempting to log on and Interactive logon: Message title for users attempting to log on settings must be enabled for either one to work properly. The reason for this policy setting is the same as that for the Message text for user attempting to log on setting. misuse of company information. Interactive logon: Do not require CTRL+ALT+DEL This policy setting determines whether a user must press CTRL+ALT+DEL before they can log on. UNCLASSIFIED . Note: Both the Interactive logon: Message text for users attempting to log on and the Interactive logon: Message title for users attempting to log on settings must be enabled for either one to work properly. the last logged on user's name will not display in the Log On to Windows dialog box.Chapter 4: The Member Server Baseline Policy 83 The Interactive logon: Display user information when the session is locked setting is configured to Not defined for the LC and EC environments. or that their actions may be audited.

especially if they are required to change their passwords regularly. However. the setting is configured to 1 to allow access for legitimate clients when they are unable to contact the domain controller. A user could disconnect the network cable of the server. Interactive logon: Require smart card This policy setting requires users to log on to a computer with a smart card. the Interactive logon: Prompt user to change password before expiration setting is configured to the default setting of 14 days in the baseline policy for all three environments that are defined in this guide. and Windows Server 2003. which could cause confusion for local users who find it difficult to change their passwords. Therefore. In the LC environment. The “Account Policies” section in Chapter 3 recommends that user passwords be configured to expire periodically. unlock the server with an old password. Unexpected expirations also make it impossible for remote users to log on through dial-up or virtual private networking (VPN) connections. . To prevent such an occurrence. this policy setting determines whether a domain controller must be contacted to unlock a computer. but it is not available through the Security Configuration Manager tools on computers that run Windows 2000. and unlock the server without authentication. complex passwords for authentication. If you configure this setting to 0. a user can still log on. The Interactive logon: Number of previous logons to cache (in case domain controller is not available) setting is configured to 0 in the baseline policy for the EC and SSLF environments. This capability may allow users to log on after their account has been disabled or deleted. the logon cache is disabled. Important: This policy setting applies to computers that run Windows 2000. This approach reduces the chance that an attacker will be able to guess a user’s password by means of a brute force attack. because the workstation does not contact the domain controller. If users are not notified when their passwords are about to expire. Windows XP. the Interactive logon: Require Domain Controller authentication to unlock workstation setting is configured to Enabled in the baseline policy for all three environments that are defined in this guide. Logon information for domain accounts can be cached locally so that if a domain controller cannot be contacted on subsequent logons. Security is enhanced when users are required to use long. Interactive logon: Require Domain Controller authentication to unlock workstation For domain accounts.84 Windows Server 2003 Security Guide Interactive logon: Number of previous logons to cache (in case domain controller is not available) This policy setting determines whether a user can log on to a Windows domain with cached account information. This policy setting addresses a potential vulnerability that is similar to one for the Interactive logon: Number of previous logons to cache (in case domain controller is not available) setting. and even strong passwords are still vulnerable to brute-force attacks. This policy setting determines the number of unique users for whom logon information is cached locally. Interactive logon: Prompt user to change password before expiration This policy setting determines how many days in advance users are warned that their passwords are about to expire. it is difficult to make users choose strong passwords. they may not realize it until the passwords have already expired.

If you configure this setting to Lock Workstation. Microsoft network clients will not be able to communicate with a Microsoft network server unless that server agrees to perform SMB packet signing. An attacker who captures the authentication traffic between the user’s computer and the domain controller will find it extremely difficult to decrypt the traffic. Interactive logon: Smart card removal behavior This policy setting determines what happens when the smart card for a logged-on user is removed from the smart card reader. Microsoft Network Client Settings Table 4. The Interactive logon: Smart card removal behavior setting is configured to Not defined in the baseline policy for the LC environment and to Lock Workstation for the EC and SSLF environments. the workstation is locked when the smart card is removed. because these clients will not be able to authenticate or gain access to domain controllers. The EC and SSLF environments that are defined in this guide only contain computers that run these operating systems. However. the user is automatically logged off when the smart card is removed. If you enable this setting. and Windows Server 2003. Even if they can decrypt the traffic. Windows XP. the next time the user logs onto the network a new session key will be generated to encrypt traffic between the user and the domain controller. For this reason. UNCLASSIFIED .Chapter 4: The Member Server Baseline Policy 85 The use of smart cards instead of passwords for authentication dramatically increases security. because current technology makes it almost impossible for an attacker to impersonate another user. If you configure this setting to Force Logoff. Smart cards that require personal identification numbers (PINs) provide two-factor authentication: the user must possess the smart card and know its PIN. this policy setting is configured to Not defined in the baseline policy for the LC and EC environments. In mixed environments with legacy clients you should set this option to Disabled. However. all of which support digital signatures. This policy setting is configured to Disabled in the baseline policy for the SSLF environment.17 Security Options: Microsoft Network Client Setting Recommendations Setting Digitally sign communications (always) Digitally sign communications (if server agrees) Legacy Client Disabled Enabled Enterprise Client Enabled Enabled Specialized Security – Limited Functionality Enabled Enabled Send unencrypted password Disabled to third-party SMB servers Disabled Disabled Microsoft network client: Digitally sign communications (always) This policy setting determines whether packet signing is required by the SMB client component. you can use this setting in environments that run Windows 2000. Microsoft encourages organizations to migrate to smart cards or other strong authentication technologies. you should only enable the Interactive logon: Require smart card setting if smart cards are already deployed. which allows users to leave the area and take their smart cards with them.

to increase communications security between computers in this environment. Administrators can use this policy setting to control when a computer suspends an inactive SMB session. the session is automatically reestablished.18 Security Options: Microsoft Network Server Setting Recommendations Setting Amount of idle time required before suspending session Digitally sign communications (always) Digitally sign communications (if client agrees) Disconnect clients when logon hours expire Legacy Client 15 minutes Disabled Enabled Enabled Enterprise Client 15 minutes Enabled Enabled Enabled Specialized Security – Limited Functionality 15 minutes Enabled Enabled Enabled Microsoft network server: Amount of idle time required before suspending session This policy setting determines the amount of continuous idle time that must pass in an SMB session before the session is suspended because of inactivity. If client activity resumes. If you enable this policy setting. the SMB redirector is allowed to send plaintext passwords to non-Microsoft SMB servers that do not support password encryption during authentication. The Microsoft network client: Send unencrypted password to third-party SMB servers setting is configured to the default value of Disabled in the baseline policy for the three environments that are defined in this guide. Microsoft network client: Send unencrypted password to third-party SMB servers If you enable this policy setting. Microsoft network client: Digitally sign communications (if server agrees) This policy setting determines whether the SMB client will attempt to negotiate SMB packet signatures. The implementation of digital signatures in Windows networks helps to prevent sessions from being hijacked. the Microsoft network clients on member servers will request signatures only if the servers with which they communicate accept digitally signed communication. . The Microsoft network client: Digitally sign communications (if server agrees) setting is configured to Enabled in the baseline policy for all three environments that are defined in this guide.86 Windows Server 2003 Security Guide Therefore. Microsoft Network Server Settings Table 4. unless application requirements supersede the need to maintain secret passwords. the Microsoft network client: Digitally sign communications (always) setting is configured to Enabled in the baseline policy for the EC and SSLF environments.

Windows Server 2003. This policy setting affects the SMB component. which blocks attempts to hijack sessions and supports message authentication to prevent man-in-the-middle attacks. UNCLASSIFIED . Microsoft network server: Digitally sign communications (always) This policy setting determines whether packet signing is required by the SMB server component before further communication with an SMB client is permitted. which is then verified by both the client and the server. Microsoft network server: Disconnect clients when logon hours expire This policy setting determines whether to disconnect users who are connected to a network computer outside of their user account's valid logon hours. Windows 2000 Server. If all SMB signing is completely disabled. The Microsoft network server: Disconnect clients when logon hours expire setting is configured to Enabled in the baseline policy for all three environments that are defined in this guide.Chapter 4: The Member Server Baseline Policy 87 The Microsoft network server: Amount of idle time required before suspending session setting is configured to 15 minutes in the baseline policy for all three environments that are defined in this guide. When computers are configured to ignore all unsigned SMB communications. If your organization has configured logon hours for users. Windows Server 2003. Windows 2000 Professional. When computers are configured to ignore all unsigned SMB communications. computers are vulnerable to attacks that attempt to hijack their communications sessions. The Microsoft network server: Digitally sign communications (if client agrees) setting is configured to Enabled in the baseline policy for all three environments that are defined in this guide. Microsoft network server: Digitally sign communications (if client agrees) This policy setting determines whether the SMB server will negotiate SMB packet signing with clients that request it. then it makes sense to enable this policy setting. The Microsoft network server: Digitally sign communications (always) setting is configured to Disabled in the baseline policy for the LC and environment and to Enabled for the EC and SSLF environments. If all SMB signing is completely disabled. Otherwise. computers are vulnerable to attacks that attempt to hijack their communications sessions. SMB signing provides this authentication because it places a digital signature into each SMB packet. legacy applications and operating systems will be unable to connect. and Windows XP Professional include versions of SMB that support mutual authentication. Windows 2000 Professional. which is then verified by both the client and the server. and Windows XP Professional include versions of SMB that support mutual authentication. which prevents attempts to hijack sessions and supports message authentication to prevent man-in-the-middle attacks. SMB signing provides this authentication because it places a digital signature into each SMB packet. legacy applications and operating systems will be unable to connect. users should not be able to access network resources outside of their logon hours or they may be able to continue to use those resources with sessions that were established during allowed hours. Windows 2000 Server.

88 Windows Server 2003 Security Guide Network Access Settings Table 4. System\ CurrentControlSet\ Control\ Server Applications. SQL\QUERY. samr. COMNODE. System\ CurrentControlSet\ Control\ Product Options. Software\Microsoft\ Software\Microsoft\ Software\Microsoft\ Windows NT\ CurrentVersion Windows NT\ Current Version Windows NT\Current Version . Remotely accessible registry paths System\ CurrentControlSet\ Control\ Product Options. netlogon. browser System\ CurrentControlSet\ Control\ Product Options. lsarpc. SPOOLSS. System\ CurrentControlSet\ Control\ Server Applications.NET Passports for network authentication Let Everyone permissions apply to anonymous users Named Pipes that can be accessed anonymously Disabled Enabled Enabled Disabled Disabled Not defined Not defined COMNAP. LLSRPC.19 Security Options: Network Access Setting Recommendations Setting Legacy Client Enterprise Client Specialized Security – Limited Functionality Disabled Allow anonymous SID/NAME translation Do not allow anonymous enumeration of SAM accounts Do not allow anonymous enumeration of SAM accounts and shares Not defined Not defined Enabled Enabled Enabled Enabled Enabled Enabled Do not allow Enabled storage of credentials or . System\ CurrentControlSet\ Control\ Server Applications.

This policy setting is configured to Disabled in the baseline policy for the SSLF environment. a user with local access could use the wellknown Administrators SID to obtain the real name of the built-in Administrator account. even if the account has been renamed. such as enumerate the names of domain accounts. even if this setting is enabled. Network access: Do not allow anonymous enumeration of SAM accounts and shares This policy setting determines whether anonymous enumeration of SAM accounts and shares is allowed. If this policy setting is enabled. Network access: Do not allow anonymous enumeration of SAM accounts This policy setting determines what additional permissions will be granted for anonymous connections to the computer. UNCLASSIFIED . The Network access: Allow anonymous SID/Name translation setting is configured to Not defined in the baseline policy for the LC and EC environments. Windows allows anonymous users to perform certain activities. anonymous users will still have access to any resources that have permissions that explicitly include the special built-in group ANONYMOUS LOGON. when an administrator wants to grant access to users in a trusted domain that does not maintain a reciprocal trust. The Network access: Do not allow anonymous enumeration of SAM accounts setting is configured to Enabled in the baseline policy for all three environments that are defined in this guide. for example.Chapter 4: The Member Server Baseline Policy 89 Setting Legacy Client Enterprise Client Specialized Security – Limited Functionality Remotely accessible registry paths and subpaths (see the following (see the following (see the following subsection for subsection for setting subsection for setting information) setting information) information) Enabled Enabled Restrict Enabled anonymous access to Named Pipes and Shares Shares that can be accessed anonymously Sharing and security model for local accounts Not defined Not defined None Classic—local users authenticate as themselves Classic—local users authenticate as themselves Classic—local users authenticate as themselves Network access: Allow anonymous SID/name translation This policy setting determines whether an anonymous user can request SID attributes for another user. This capability is convenient. That person could then use the account to initiate a password guessing attack. However.

the Network access: Let Everyone permissions apply to anonymous users setting is configured to Disabled in the baseline policy for all three environments that are defined in this guide.90 Windows Server 2003 Security Guide The Network access: Do not allow anonymous enumeration of SAM accounts and shares setting is configured to Enabled in the baseline policy for all three environments that are defined in this guide.NET Passports for network authentication setting is configured to Enabled in the baseline policy for all three security environments that are defined in this guide.0 domains or domain controllers.NET Passports for later use after domain authentication is achieved. Network access: Named Pipes that can be accessed anonymously This policy setting determines which communication sessions (named pipes) will have attributes and permissions that allow anonymous access. or Microsoft . credentials. anonymous Windows users will be able to perform certain activities. If you enable this policy setting. An unauthorized user could anonymously list account names and shared resources and use the information to guess passwords or perform social engineering attacks. Therefore. such as enumerate the names of domain accounts and network shares. You should enforce the default values for the Network access: Named Pipes that can be accessed anonymously setting in the SSLF environment.NET Passports for network authentication This policy setting determines whether settings for Stored User Names and Passwords will save passwords. Note: Domains that have this policy setting enabled will be unable to establish or maintain trusts with Windows NT 4. Note: Changes that are made to the configuration of this policy setting will not take effect until you restart Windows. The default values consist of the following named pipes: • • • • • • • COMNAP – SNA session access COMNODE – SNA session access SQL\QUERY – SQL instance access SPOOLSS – Spooler service LLSRPC – License Logging service Netlogon – Net Logon service Lsarpc – LSA access . The Network access: Do not allow storage of credentials or . Network access: Let Everyone permissions apply to anonymous users This policy setting determines what additional permissions are granted for anonymous connections to the computer. Network access: Do not allow storage of credentials or .

ensure that you only add the named pipes that are needed to support the applications in your environment. As with all recommended settings in this guide. The default values for the Network access: Remotely accessible registry paths and sub-paths setting are enforced in the baseline security templates for all three security environments that are defined in this guide.Chapter 4: The Member Server Baseline Policy 91 • • Samr – SAM access browser – Computer Browser service Important: If you need to enable this policy setting. The default values consist of the following paths and sub-paths: • • • • • • • • • • • System\CurrentControlSet\Control\Print\Printers System\CurrentControlSet\Services\Eventlog Software\Microsoft\OLAP Server Software\Microsoft\Windows NT\CurrentVersion\Print Software\Microsoft\Windows NT\CurrentVersion\Windows System\CurrentControlSet\Control\ContentIndex System\CurrentControlSet\Control\Terminal Server System\CurrentControlSet\Control\Terminal Server\UserConfig System\CurrentControlSet\Control\Terminal Server\DefaultUserConfiguration Software\Microsoft\Windows NT\CurrentVersion\Perflib System\CurrentControlSet\Services\SysmonLog Network access: Restrict anonymous access to Named Pipes and Shares This policy setting can be used to restrict anonymous access to shares and named pipes in the following settings: • • Network access: Named pipes that can be accessed anonymously Network access: Shares that can be accessed anonymously UNCLASSIFIED . you should carefully test this policy setting before you deploy it in a production environment. Note: Even if you configure this policy setting. Network access: Remotely accessible registry paths and sub-paths This policy setting determines which registry paths and sub-paths can be accessed over the network. you must also start the Remote Registry system service if authorized users need to be able to access the registry over the network. The Network access: Remotely accessible registry paths setting is configured to its default value in the baseline security templates for all three security environments that are defined in this guide. Network access: Remotely accessible registry paths This policy setting determines which registry paths can be accessed over the network.

The Classic configuration allows fine control over access to resources. In this context.92 Windows Server 2003 Security Guide The Network access: Restrict anonymous access to Named Pipes and Shares setting is configured to the default setting of Enabled in the baseline policy for all three environments that are defined in this guide. Network Security Settings Table 4. The Network access: Shares that can be accessed anonymously setting is configured to Not defined for the LC and EC environments and to None for the SSLF environment. The Network access: Sharing and security model for local accounts setting is configured to the default configuration of Classic in the baseline policy for all three environments that are defined in this guide. all users authenticate as Guest only to receive the same access level to a given resource. because any shares that are listed can be accessed by any network user. Network access: Sharing and security model for local accounts This policy setting determines how network logons that use local accounts are authenticated. The Guest only setting allows you to treat all users equally. Network access: Shares that can be accessed anonymously This policy setting determines which network shares can be accessed by anonymous users. because all users must be authenticated before they can access shared resources on the server. The default configuration for this setting has little impact. Sensitive data could be exposed or corrupted if this policy setting is enabled. Note: This policy setting can be very dangerous. and allows you to provide different types of access to different users for the same resource.20 Security Options: Network Security Setting Recommendations Setting Legacy Client Enabled Send NTLMv2 responses only Negotiate signing Enterprise Client Enabled Send NTLMv2 response only\refuse LM Negotiate signing Specialized Security – Limited Functionality Enabled Send NTLMv2 response only\refuse LM & NTLM Do not store LAN Manager hash value on next password change LAN Manager authentication level LDAP client signing requirements Negotiate signing .

and the level of authentication that is accepted by servers as follows. Note: Very old legacy operating systems and some applications may fail when this policy setting is enabled. For this reason. The domain controller refuses LAN Manager and NTLM authentication and accepts only NTLMv2. The LM hash is relatively weak and prone to attack compared to the cryptographically stronger Windows NT hash.21 LMCompatibilityLevel Registry Value Settings Value Protocol 0 1 2 3 4 5 Clients use LAN Manager and NTLM authentication and never use NTLMv2 session security. you will need to change the password on all accounts after this policy setting is enabled. Clients use only NTLMv2 authentication and NTLMv2 session security if the server supports it. the level of security that is negotiated. The domain controller refuses LAN Manager authentication. Table 4.Chapter 4: The Member Server Baseline Policy 93 Setting Legacy Client No minimum No minimum Enterprise Client Enabled all settings Enabled all settings Specialized Security – Limited Functionality Enabled all settings Minimum session security for NTLM SSP based (including secure RPC) clients Minimum session security for NTLM SSP based (including secure RPC) servers Enabled all settings Network security: Do not store LAN Manager hash value on next password change This policy setting determines whether the LAN Manager (LM) hash value for the new password is stored when the password is changed. Clients use only NTLM authentication and NTLMv2 session security if the server supports it. Also. Clients use LAN Manager and NTLM authentication and NTLMv2 session security if the server supports it. the Network security: Do not store LAN Manager hash value on next password change setting is configured to Enabled in the baseline policy for all three security environments that are defined in this guide. Clients use only NTLM authentication and NTLMv2 session security if the server supports it. The numbers in the following table are the actual settings for the LMCompatibilityLevel registry value. Network security: LAN Manager authentication level This policy setting determines which challenge/response authentication protocol is used for network logons. UNCLASSIFIED . Clients use only NTLMv2 authentication and NTLMv2 session security if the server supports it. This choice affects the level of authentication protocol that is used by client computers.

Configure this policy setting to as high a security level as possible. the Network security: LDAP client signing requirements setting is configured to Negotiate signing in the baseline policy for all three environments that are defined in this guide. which is how the setting is configured for the LC environment. At a minimum. therefore the Network security: LAN Manager authentication level setting for this environment is configured to Send NTLMv2 response only\refuse LM in the baseline policy. and then to Send NTLMv2 response only\refuse LM & NTLM on all servers after all clients are configured. The EC environment may need to support Routing and Remote Access servers. roll it back one step at a time to discover what breaks. If you have Windows 9x clients on which you can install the DSClient. Network security: LDAP client signing requirements This policy setting determines the level of data signing that is requested on behalf of clients that issue LDAP BIND requests. configure this policy setting to Send NTLMv2 response only\refuse LM & NTLM on all clients. Typically. you should configure this policy setting to Send LM & NTLM – use NTLMv2 session security if negotiated in the baseline policy on all computers. Routing and Remote Access servers are not supported in the SSLF environment. Unsigned network traffic is susceptible to man-inthe-middle attacks. an attacker could cause a server to make decisions that are based on false queries from the LDAP client. configure this policy setting to Send NTLMv2 response only\refuse LM & NTLM on computers that run Windows NT (Windows NT. Proper configuration of this policy setting will help ensure that network traffic from NTLM SSP– based servers is protected from man-in-the-middle attacks and data exposure. The exception to this recommendation is Windows Server 2003 Routing and Remote Access servers. or NTLM version 2 (NTLMv2) session security. . so the policy setting for this environment is configured to Send NTLMv2 response only\refuse LM & NTLM.94 Windows Server 2003 Security Guide You should configure this policy setting to the highest level that your environment allows according to the following guidelines: In an environment that includes only Windows NT 4. For an LDAP server. you can configure it to Send NTLMv2 responses only on all computers in the environment. Network security: Minimum session security for NTLM SSP based (including secure RPC) clients This policy setting allows a client to require the negotiation of message confidentiality (encryption). and Windows XP Professional). Otherwise. If you find applications that break when this policy setting is enabled. you must leave this policy setting configured to no higher than Send NTLMv2 responses only in the baseline policy for computers that do not run Windows 9x. which will not function properly if this policy setting is configured higher than Send NTLMv2 response only\refuse LM. Therefore. All settings are enabled for the EC and SSLF environments.0 SP4. but remember that you still need to allow the applications on the network to function. and Windows XP Professional. Windows 2000. Windows 2000. 128-bit encryption. The Network security: Minimum session security for NTLM SSP based (including secure RPC) clients setting is configured to No minimum in the baseline policy for the LC environment. message signing.

All settings are enabled for the EC and SSLF environments. Allows access to all files and folders on the computer. AllowAllPaths. but remember that you still need to allow the applications on the network to function. 128-bit encryption. restart it. Configure this policy setting to as high a security level as possible. Recovery Console Settings Table 4. proper configuration of this policy setting will help ensure that network traffic from NTLM SSP–based clients is protected from man-in-the-middle attacks and data exposure. the Recovery Console does not require you to provide a password. Therefore.22 Security Options: Recovery Console Setting Recommendations Setting Legacy Client Disabled Enabled Enterprise Client Disabled Enabled Specialized Security – Limited Functionality Disabled Disabled Allow automatic administrative logon Allow floppy copy and access to all drives and all folders Recovery console: Allow automatic administrative logon This policy setting determines whether the password for the Administrator account must be entered before computer access is granted. select Recover Console from the Restart menu. the Recovery console: Allow automatic administrative logon setting is configured to the default setting of Disabled in the baseline policy for all three environments that are defined in this guide. If you enable this policy setting. it can be detrimental to enable this setting because anyone can then walk up to the server. disconnect its power to shut it down. Like the previous policy setting.Chapter 4: The Member Server Baseline Policy 95 Network security: Minimum session security for NTLM SSP based (including secure RPC) servers This policy setting allows a server to require the negotiation of message confidentiality (encryption). which allows you to set the following Recovery Console environment variables: • • AllowWildCards. The Network security: Minimum session security for NTLM SSP based (including secure RPC) servers security option setting is configured to No minimum in the baseline policy for the LC environment. However. UNCLASSIFIED . message integrity. The Recovery Console can be very useful when you need to work with computers that have startup problems. and it automatically logs on to the computer. or NTLMv2 session security. and then assume full control of the server. the user will have to enter a user name and password to access the Recovery Console account. Enables wildcard support for some commands (such as the DEL command). Recovery console: Allow floppy copy and access to all drives and all folders You can enable this policy setting to make the Recovery Console SET command available. To use the Recovery Console when this setting is disabled.

NoCopyPrompt.23 Security Options: Shutdown Setting Recommendations Setting Legacy Client Disabled Disabled Enterprise Client Disabled Disabled Specialized Security – Limited Functionality Disabled Disabled Allow system to be shut down without having to log on Clear virtual memory page file Shutdown: Allow system to be shut down without having to log on This policy setting determines whether a computer can be shut down by a user who is not required to log on to the Windows operating system. Users who can access the console could shut down the computer. this policy setting is configured to Enabled for the LC and EC environments. An attacker or misguided user could connect to the server through Terminal Services and shut it down or restart it without having to identify themselves. Allows files to be copied to removable media. Shutdown: Clear virtual memory page file This policy setting determines whether the virtual memory pagefile is cleared when the computer is shut down. such as a floppy disk. Does not prompt when overwriting an existing file.96 Windows Server 2003 Security Guide • • AllowRemovableMedia.sys) is also zeroed out when hibernation is disabled on a portable computer. the Recovery console: Allow floppy copy and access to all drives and all folders setting is configured to Disabled in the baseline policy for the SSLF environment. it causes the system pagefile to be cleared each time that the computer shuts down gracefully. Shutdown Settings Table 4. Note: An attacker who has physical access to the server could simply unplug the server from its power source to bypass this countermeasure. If you enable this policy setting. the hibernation file (Hiberfil. Server shutdowns and restarts will take longer and will be especially noticeable on servers with large pagefiles. However. For maximum security. the Shutdown: Clear virtual memory page file setting is configured to Disabled in all three environments that are defined in this guide. For these reasons. . When this policy setting is enabled. Therefore. the Shutdown: Allow system to be shut down without having to log on setting is configured to the default setting of Disabled in the baseline policy for all three environments that are defined in this guide.

Although this policy setting increases security. and signing This policy setting determines whether the Transport Layer Security/Secure Sockets Layer (TLS/SSL) Security Provider supports only the TLS_RSA_WITH_3DES_EDE_CBC_SHA cipher suite. To provide additional security. System cryptography: Use FIPS compliant algorithms for encryption. For these reasons. this policy setting is configured to User must enter a password each time they use a key for the SSLF environment. the System cryptography: Force strong key protection for user keys stored on the computer setting is configured to User is prompted when the key is first used in the baseline policy. hashing. and signing System cryptography: Force strong key protection for user keys stored on the computer This policy setting determines whether users' private keys (such as their S-MIME keys) require a password to be used.24 Security Options: System Cryptography Setting Recommendations Setting Legacy Client User is prompted when the key is first used Disabled Enterprise Client User is prompted when the key is first used Disabled Specialized Security – Limited Functionality User must enter a password each time they use a key Enabled Force strong key protection for user keys stored on the computer Use FIPS compliant algorithms for encryption. For usability requirements in the LC and EC environments. even an attacker who discovers logon passwords. Many client computers are also not configured to support these algorithms. If you configure this policy setting so that users must provide a password—distinct from their domain password—every time that they use a key. then it will be more difficult for an attacker to access locally stored keys. This policy setting is configured to Enabled for the SSLF environment. the System cryptography: Use FIPS compliant algorithms for encryption. UNCLASSIFIED . most public Web sites that are secured with TLS or SSL do not support these algorithms. and signing setting is configured to Disabled in the baseline policy for the LC and EC environments.Chapter 4: The Member Server Baseline Policy 97 System Cryptography Settings Table 4. hashing. hashing.

When system objects are created. the System objects: Require case insensitivity for non-Windows subsystems setting is configured to Enabled in the baseline policy for all three environments that are defined in this guide. the kernel supports case sensitivity for other subsystems. which it allows users who are not administrators to read shared objects but not to modify any that they did not create. Such an occurrence may block another user's access to these files with typical Win32 tools.g. Symbolic Links) This policy setting determines the strength of the default discretionary access control list (DACL) for objects. . However. The Microsoft Win32® subsystem is case insensitive. and helps secure objects that can be located and shared among processes.98 Windows Server 2003 Security Guide System Objects Settings Table 4. System objects: Require case insensitivity for nonWindows subsystems This policy setting determines whether case insensitivity is enforced for all subsystems. To ensure consistency of file names. because only one of the files will be available. failure to enforce this setting makes it possible for a POSIX user to create a file with the same name as another file if they use mixed case letters to label it. Because Windows is case insensitive and the POSIX subsystem supports case sensitivity. To strengthen the DACL you can use the default value of Enabled. such as the Portable Operating System Interface for UNIX (POSIX).25 Security Options: System Objects Setting Recommendations Setting Default owner for objects created by members of the Administrators group Require case insensitivity for nonWindows subsystems Legacy Client Object creator Enabled Enterprise Specialized Security – Client Limited Functionality Object creator Enabled Enabled Object creator Enabled Enabled Strengthen default permissions of Enabled internal system objects (for example. System objects: Strengthen default permissions of internal system objects (e. Symbolic Links) System objects: Default owner for objects created by members of the Administrators group This policy setting determines whether the Administrators group or an object creator is the default owner of any system objects that are created. the ownership will reflect which account created the object rather than the more generic Administrators group. The System objects: Default owner for objects created by members of the Administrators group setting is configured to Object creator in the baseline policy for all three environments that are defined in this guide.

The settings for the Application. access rights for each log. To disable the POSIX subsystem. based on the digital certificate that is associated with the software. It enables or disables certificate rules (a type of software restriction policies rule).g. and retention settings and methods. However. System settings: Use Certificate Rules on Windows Executables for Software Restriction Policies This policy setting determines whether digital certificates are processed when software restriction policies are enabled and a user or process attempts to run software with an . it is configured to Disabled in the EC environment and to Not defined in the LC environment because of the potential performance impact. You can configure the event log settings in Windows Server 2003 with SP1 at the following location within the Group Policy Object Editor: Computer Configuration\Windows Settings\Security Settings\Event Log UNCLASSIFIED . and System event logs. the System settings: Optional subsystems setting is configured to None in the baseline policy for all three environments that are defined in this guide. Event Log The event log records events on the computer. Symbolic Links) setting is configured to the default value of Enabled in the baseline policy for all three environments that are defined in this guide.26 Security Options: System Setting Recommendations Setting System settings: Optional subsystems System settings: Use Certificate Rules on Windows Executables for Software Restriction Policies Legacy Client None Not defined Enterprise Client None Disabled Specialized Security – Limited Functionality None Enabled System settings: Optional subsystems This policy setting determines which subsystems are used to support applications in your environment. you must enable this policy setting.exe file name extension. and System event logs are configured in the MSBP and applied to all member servers in the domain.Chapter 4: The Member Server Baseline Policy 99 The System objects: Strengthen default permissions of internal system objects (e. For certificate rules to take effect in software restriction policies. such as maximum log size. and the Security log records audit events. With software restriction policies. The System settings: Use Certificate Rules on Windows Executables for Software Restriction Policies setting is configured to Enabled in the SSLF environment. Security. The default value for this policy setting in Windows Server 2003 is POSIX. you can create a certificate rule that will allow or disallow the execution of Authenticode®-signed software. System Settings Table 4. Security. The event log container of Group Policy is used to define attributes of the Application.

384 KB in the baseline policy for all three environments that are defined in this guide. Threats and Countermeasures: Security Settings in Windows Server 2003 and Windows XP.384 KB Enabled Enabled Enabled 16. which has a maximum capacity of 4 GB. How you configure this policy setting for other computers depends on factors that include how frequently the log will be reviewed. see the companion guide.920 KB 16.27 Event Log Setting Recommendations Setting Maximum application log size Maximum security log size Maximum system log size Prevent local guests group from accessing application log Prevent local guests group from accessing security log Prevent local guests group from accessing system log Retention method for application log Retention method for security log Retention method for system log Legacy Client 16.384 KB 81. The Maximum application log size setting is configured to the default value of 16.microsoft. For information about the default configuration and a detailed explanation of each of the settings.384 KB Enabled Enabled Enabled As needed As needed As needed As needed As needed As needed Maximum application log size This policy setting specifies the maximum size of the Application event log. and so on. which is available at http://go. However.384 KB Enabled Enabled Enabled As needed As needed As needed Enterprise Specialized Security – Client Limited Functionality 16. and depend on the function of the platform and the need for historical records of application-related events. Additional information about each setting is provided in the subsections that follow the table.920 KB 16. You should configure the Security log to at least 80 MB on domain controllers and stand-alone servers. Maximum security log size This policy setting specifies the maximum size of the Security event log.920 KB 16. this size is not recommended because of the risk of memory fragmentation. see the Microsoft Excel workbook "Windows Server 2003 Security Guide Settings. available disk space.384 KB 81. .384 KB 81.100 Windows Server 2003 Security Guide This section provides details about the prescribed MSBP event log settings for all three environments that are defined in this guide. Table 4. For a summary of the prescribed settings in this section. The following table summarizes the event log setting recommendations for the three environments that are defined in this guide." which is available in the downloadable version of this guide. which should adequately store enough information to conduct audits.com/fwlink/?LinkId=15159. which causes slow performance and unreliable event logging. Requirements for the Application log size vary. which has a maximum capacity of 4 GB.

this policy setting has no real effect on computers with default configurations. UNCLASSIFIED . because this configuration is considered a defense-in-depth measure with no side effects. this policy setting has no real effect on computers with default configurations.Chapter 4: The Member Server Baseline Policy 101 The Maximum security log size security setting is configured to 81. However. the Prevent local guests group from accessing application log setting is configured to Enabled in the baseline policy for all three environments that are defined in this guide. which has a maximum capacity of 4 GB. Note: This setting does not appear in the Local Computer Policy object. guest access is prohibited on all computers. Note: This setting does not appear in the Local Computer Policy object. A user must be assigned the Manage auditing and security log user right (not defined in this guidance) to access the Security log. The Maximum system log size setting is configured to the default value of 16.920 KB in the baseline policy for all three environments that are defined in this guide. which causes slow performance and unreliable event logging. Requirements for the System log size vary. guest access is prohibited on all computers. However. Prevent local guests group from accessing system log This policy setting determines whether guests are denied access to the System event log. the Prevent local guests group from accessing security log setting is configured to Enabled in the baseline policy for all three environments that are defined in this guide. and depend on the function of the platform and the need for historical records. Therefore. Maximum system log size This policy setting specifies the maximum size of the System event log. because this configuration is considered a defense-in-depth measure with no side effects. this size is not recommended because of the risk of memory fragmentation. Therefore. Prevent local guests group from accessing application log This policy setting determines whether guests are denied access to the Application event log. By default in Windows Server 2003 with SP1. Therefore. this policy setting has no real effect on computers with default configurations.384 KB in the baseline policy for all three environments that are defined in this guide. By default in Windows Server 2003 with SP1. Prevent local guests group from accessing security log This policy setting determines whether guests are denied access to the Security event log. However.

Additional Registry Entries Additional registry entries (also called registry values) were created for the baseline security template files that are not defined within the default Administrative Template (. the log will always store the most recent events—although this configuration could result in a loss of historical data. It is imperative that the Security log be archived regularly if historical events are needed for either forensics or troubleshooting purposes. The Retention method for application log setting is configured to As needed in the baseline policy for all three environments that are defined in this guide. To add these registry entries. It is imperative that the Application log be archived regularly if historical events are needed for either forensics or troubleshooting purposes. If events are overwritten as needed. because this configuration is considered a defense-in-depth setting measure with no side effects. these registry entries are not automatically removed with it. These registry entries are embedded within the security templates (in the "Security Options" section) to automate the changes.exe. The Retention method for system log setting is configured to As needed in the baseline policy for all three environments that are defined in this guide. the log will always store the most recent events—although this configuration could result in a loss of historical data. The Retention method for security log setting is configured to As needed in the baseline policy for all three environments that are defined in this guide.102 Windows Server 2003 Security Guide However.inf file . The . If events are overwritten as needed. Retention method for application log This policy setting determines the "wrapping" method for the Application log.adm files define the policies and restrictions for the desktop. shell. The same registry entries are applied across all three environments. the log will always store the most recent events—although this configuration could result in a loss of historical data. you need to modify the Sceregvl. the Prevent local guests group from accessing system log setting is configured to Enabled in the baseline policy for all three environments that are defined in this guide. Note: This setting does not appear in the Local Computer Policy object. and security for Windows Server 2003. It is imperative that the logs be archived regularly if historical events are needed for either forensics or troubleshooting purposes. If events are overwritten as needed. they must be manually changed with a registry editing tool such as Regedt32. Retention method for security log This policy setting determines the "wrapping" method for the Security log.adm) file for the three security environments that are defined in this guide. Retention method for system log This policy setting determines the "wrapping" method for the System log. This guide includes additional registry entries that are added to the Security Configuration Editor (SCE). If the policy is removed.

Microsoft recommends that you harden the TCP/IP stack against DoS attacks. appear under Local Policies\Security in the snap-ins and tools that are listed earlier in this chapter. Details about how to update these files are provided in the companion guide. Threats and Countermeasures: Security Settings in Windows Server 2003 and Windows XP. For information about the default settings and a detailed explanation of each of the settings that are discussed in this section.dll file.28 TCP/IP Registry Entry Recommendations Registry entry Format Legacy Client Enterprise Client Specialized Security – Limited Functionality 0 1 0 300. The default TCP/IP stack configuration is tuned to handle standard intranet traffic. You will need to update the Sceregvl.000 2 2 3 0 UNCLASSIFIED . Table 4.com/fwlink/?LinkId=15159.inf file and re-register the Scecli. If you connect a computer directly to the Internet. as well as the additional ones. see Threats and Countermeasures: Security Settings in Windows Server 2003 and Windows XP. This section is only a summary of the additional registry entries that are described in detail in the companion guide. The original security entries.dll file for any computers on which you will edit the security templates and Group Policies that are provided with this guide. You can add the registry values in the following table to the template file in the HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Param eters\ subkey.000 2 2 3 0 EnableICMPRedirect SynAttackProtect EnableDeadGWDetect KeepAliveTime DisableIPSourceRouting TcpMaxConnectResponseRetrans missions TcpMaxDataRetransmissions PerformRouterDiscovery DWORD DWORD DWORD DWORD DWORD DWORD DWORD DWORD 0 1 0 300.000 2 2 3 0 0 1 0 300. Security Consideration for Network Attacks Denial of service (DoS) attacks are network attacks that attempt to make a computer or a particular service on a computer unavailable to network users. To help prevent these attacks. DoS attacks can be difficult to defend against.Chapter 4: The Member Server Baseline Policy 103 (located in the %windir%\inf folder) and re-register the Scecli. you should keep your computer updated with the latest security fixes and harden the TCP/IP protocol stack on computers that run Windows Server 2003 with SP1 and are exposed to potential attackers. which is available at http://go.microsoft.

3 style filenames (recommended) MSS: (NoDriveTypeAutoRun) Disable Autorun for all drives (recommended) MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires (0 recommended) MSS: (WarningLevel) Percentage threshold for the security event log at which the system will generate a warning MSS: (SafeDllSearchMode) Enable Safe DLL search mode (recommended) MSS: (AutoReboot) Allow Windows to automatically restart after a system crash (recommended except for highly secure environments) MSS: (AutoAdminLogon) Enable Automatic Logon (not recommended) MSS: (AutoShareWks) Enable Administrative Shares (recommended except for highly secure environments) DWORD 1 1 DWORD 0 0 1 DWORD 0xFF 0xFF 0xFF String 0 0 0 DWORD 90 90 90 DWORD 1 1 1 DWORD 1 1 0 DWORD 0 0 0 DWORD 1 1 0 . Table 4.104 Windows Server 2003 Security Guide Other Registry Entries Other recommended registry entries that are not specific to TCP/IP are listed in the following table. Additional information about each entry is provided in the subsections that follow the table.29 Other Registry Entry Recommendations Registry entry Format Legacy Client Enterprise Client Specialized Security – Limited Functionality 1 MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers MSS: (NtfsDisable8dot3NameCreation) Enable the computer to stop generating 8.

Disable Autorun: Disable Autorun for all drives This entry appears as MSS: (NoDriveTypeAutoRun) Disable Autorun for all drives (recommended) in the SCE. Disable Auto Generation of 8. The 8. NetBIOS over TCP/IP is a network protocol that (among other things) provides a way to easily resolve NetBIOS names that are registered on Windows-based computers to the IP addresses that are configured on those computers. As a result.3 style filenames This entry appears as MSS: (NtfsDisable8dot3NameCreation) Enable the computer to stop generating 8.Chapter 4: The Member Server Baseline Policy 105 Registry entry Format Legacy Client Enterprise Client Specialized Security – Limited Functionality 1 MSS: (DisableSavePassword) Prevent the dial-up password from being saved (recommended) MSS: (NoDefaultExempt) Enable NoDefaultExempt for IPSec Filtering (recommended) DWORD 1 1 DWORD 3 3 3 Configure NetBIOS Name Release Security: Allow the computer to ignore NetBIOS name release requests except from WINS servers This entry appears as MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers in the SCE.3 style filenames (recommended) in the SCE. Windows Server 2003 with SP1 supports 8. Autorun begins to read from a drive on your computer as soon as media is inserted into it. You can add this registry value to the template file in the HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netbt\Parame ters\ subkey.3 file name formats for backward compatibility with16-bit applications. UNCLASSIFIED . You can add this registry value to the template file in the HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\FileSystem\ subkey. things like the setup file (for programs) or the sound (for audio content) start immediately. This value determines whether the computer releases its NetBIOS name when it receives a name-release request.3 File Names: Enable the computer to stop generating 8.3 file name convention is a format that only allows file names of eight characters or less.

For example. Search the current working folder first. It generates a security audit in the Security log when its size reaches a user-defined threshold. if you configure the value for this registry entry to 90 and the Security log reaches 90 percent of capacity. and then search the current working folder.” Note: If you configure log settings to Overwrite events as needed or Overwrite events older than x days. You can add this registry value to the template file in the HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ Winlogon\ subkey. and then search the folders that are specified in the system path. Enable Safe DLL Search Order: Enable Safe DLL search mode (recommended) This entry appears as MSS: (SafeDllSearchMode) Enable Safe DLL search mode (recommended) in the SCE. this event will not be generated. The DLL search order can be configured to search for DLLs that are requested by running processes in one of two ways: • • Search folders that are specified in the system path first. You can add this registry value to the security template file in the HKEY_LOCAL_MACHINE\ SYSTEM\CurrentControlSet\Services\Eventlog\Security\ subkey. This option became available with SP3 for Windows 2000. .106 Windows Server 2003 Security Guide You can add this registry value to the template file in the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\P olicies\Explorer\ subkey. Security Log Near Capacity Warning: Percentage threshold for the security event log at which the system will generate a warning This entry appears as MSS: (WarningLevel) Percentage threshold for the security event log at which the system will generate a warning in the SCE. the log will show one entry with an eventID of 523 that reads as follows: “The security event log is 90 percent full. Make Screensaver Password Protection Immediate: The time in seconds before the screen saver grace period expires (0 recommended) This entry appears as MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires (0 recommended) in the SCE. Windows includes a grace period between when the screen saver is launched and when the console is actually locked automatically when screen saver locking is enabled.

UNCLASSIFIED . the computer first searches the current working folder and then the folders that are specified in the system path. You can add this registry value to the template file in the HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\CrashControl\ subkey. If you configure this entry to 0.Chapter 4: The Member Server Baseline Policy 107 The registry value is configured to 1. Automatic Reboot: Allow Windows to automatically restart after a system crash This entry appears as MSS: (AutoReboot) Allow Windows to automatically restart after a system crash (recommended except for highly secure environments) in the SCE. when Windows networking is active on a server. Automatic Logon: Enable Automatic Logon This entry appears as MSS: (AutoAdminLogon) Enable Automatic Logon (not recommended) in the SCE. You can add this registry value to the template file in the HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\RasMan\Para meters\ subkey. You can add this registry value to the template file in the HKEY_LOCAL_MACHINE\ SYSTEM\CurrentControlSet\Control\Session Manager\ subkey. For more information.com/default. By default.microsoft. You can add this registry value to the template file in the HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ Winlogon\ subkey. which is undesirable on highly secure servers. It is enabled by default. when enabled. Windows will create hidden administrative shares—which is undesirable on highly secure servers. This entry. this entry is not enabled and should never be used on a server in practically any conceivable circumstance. Administrative Shares: Enable Administrative Shares This entry appears as MSS: (AutoShareWks) Enable Administrative Shares (recommended except for highly secure environments) in the SCE. permits a server to automatically reboot after a fatal crash. see the Microsoft Knowledge Base article "How to turn on automatic logon in Windows XP" at http://support. By default.aspx?kbid=315231. which causes the computer to first search the folders that are specified in the system path and then the current working folder.

By default. The default exemptions to IPsec policy filters are documented in the Microsoft Windows Server 2003 online help. Restricted Groups The Restricted Groups capability allows you to manage group membership through policy mechanisms and prevent either deliberate or inadvertent exploitation of groups that have powerful user rights. The filters also make it possible for the network Quality of Service (QoS) to be signaled (RSVP) when the data traffic is secured by IPsec. then carefully control their membership and do not implement the guidance for the Restricted Groups setting. You can add this registry value to the template file in the HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanServ er\ Parameters\ subkey. The Backup Operators and Power Users groups are restricted in all three environments that are defined in this guide. These filters make it possible for Internet Key Exchange (IKE) and the Kerberos authentication protocol to function. Although members of the Backup Operators and Power Users groups have less access than members in the Administrators group. If your organization adds users to the Power Users group. you can define its members and any other groups to which it belongs. You can configure the Restricted Groups setting in Windows Server 2003 with SP1 at the following location within the Group Policy Object Editor: Computer Configuration\Windows Settings\Security Settings\Restricted Groups\ Administrators may configure restricted groups by adding the desired group directly to the MSBP. which is not desirable on a server. If you do not specify these group members. Note: If your organization uses any of these groups.108 Windows Server 2003 Security Guide Disable Saved Passwords: Prevent the dial-up password from being saved This entry appears as MSS: (DisableSavePassword) Prevent the dial-up password from being saved (recommended) in the SCE. You should first review the needs of your organization to determine the groups that you want to restrict. they still have powerful capabilities. the group remains totally restricted. When a group is restricted. You can add this registry value to the template file in the HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\IPSEC\ subkey. and for traffic that IPsec might not secure (such as multicast and broadcast traffic). Enable IPSec to protect Kerberos RSVP Traffic: Enable NoDefaultExempt for IPSec Filtering This entry appears as MSS: (NoDefaultExempt) Enable NoDefaultExempt for IPSec Filtering (recommended) in the SCE. Windows will offer the option to save passwords for dial-up and VPN connections. you may want to implement the optional file system permissions that are described in the following “Securing the File System” section. .

exe rsh. You can configure the file system security settings at the following location in the Group Policy Object Editor: Computer Configuration\Windows Settings\Security Settings\File System Note: You should thoroughly test any changes to the default file system security settings in a lab environment before you deploy them in a large organization. you may want to apply the optional permissions that are described in the paragraph that follows.exe rexec.exe netsh.exe edlin. and they are all given the following permissions: Administrators: Full Control.exe cacls.exe attrib.inf. • • • • • • • • • • • • • • • • regedit.exe eventcreate. UNCLASSIFIED .exe regini. There have been cases in which file permissions have been altered to a point that required the affected computers to be completely rebuilt.exe debug.exe arp.exe eventtriggers.exe ftp.exe secedit.exe reg.exe net1. The settings that are discussed in this section are provided for optional use by organizations that do not use restricted groups but still wish to have an additional level of hardening on their servers. Note how these changes do not affect multiple folders or the root of the system volume.exe nslookup. and doing so can often cause computer instability. which is included with the downloadable version of this guide. They are very specific. and they apply additional restrictions to certain executable tools that a malicious user with elevated privileges may use to further compromise the computer or network.exe nbtstat.Chapter 4: The Member Server Baseline Policy 109 Securing the File System The NTFS file system has been improved with each new version of Microsoft Windows.exe regsvr32.exe telnet.exe regedt32. All of the following files are located in the %SystemRoot%\System32\ folder.exe tftp. and the default permissions for NTFS are adequate for most organizations.exe For your convenience. It can be very risky to change permissions in that manner.exe route.exe at. System: Full Control.exe rcp. these optional permissions are already configured in the security template called Optional-File-Permissions.exe tlntsvr.exe • • • • • • • • • • • • • • • • ntbackup.exe systeminfo.exe netstat. The default file permissions in Windows Server 2003 with SP1 are sufficient for most situations. if you do not plan to block membership of the Power Users group with the Restricted Groups feature or if you plan to enable the Network access: Let Everyone permissions apply to anonymous users setting.exe net. However.exe subst.exe sc.

Support_388945a0. is unique. Support_388945a0. For a detailed explanation of each of the countermeasures discussed in this section.com/fwlink/?LinkId=15159. Guest. However. The Built-in Administrator is the built-in user account. Guest. which is part of the SID. which is available at http://go. Manual Hardening Procedures This section describes how some additional countermeasures (such as securing accounts) were implemented manually for each of the security environments that are defined in this guide. Threats and Countermeasures: Security Settings in Windows Server 2003 and Windows XP.30 Manually Added User Rights Assignments Setting Name in UI Deny access to this computer from the network Legacy Client Enterprise Client Specialized Security – Limited Functionality Built-in Administrator. there are additional settings that are difficult or impossible to apply with Group Policy. Manually Adding Unique Security Groups to User Rights Assignments Most of the recommended security groups for user rights assignments were configured within the security templates that accompany this guide. not the security group Administrators. Support_388945a0. Warning: The following table contains values for Built-in Administrator. there are a few rights that cannot be included in the security templates. all NONOperating System service accounts Support_388945a0 and Guest Built-in Built-in Administrator. When you add this account to any deny access user rights. Also. all NONOperating System service accounts Support_388945a0 and Guest Deny log on as a batch job Support_388945a0 and Guest . all NONOperating System service accounts Guest. see the companion guide. If the Administrators security group is added to any of the following deny access user rights.110 Windows Server 2003 Security Guide Additional Security Settings Although most of the countermeasures that are used to harden the baseline servers in this guide were applied through Group Policy. make sure that you select the newly renamed administrator account. The problem is that the RID (Relative Identifier).microsoft. Administrator. the Built-in Administrator account may have a new name if you followed the recommendation to rename it earlier in this guide. These rights are referenced in the following table. Table 4. because the SIDs of the specific security groups are unique between different Windows Server 2003 domains. you will need to log on locally to correct the mistake.

Guest . Support_388945a0. Guests.Chapter 4: The Member Server Baseline Policy 111 Setting Name in UI Deny log on through Terminal Services Legacy Client Enterprise Client Specialized Security – Limited Functionality Built-in Administrator. Two of the most well-known built-in accounts in Windows Server 2003 are Guest and Administrator. select the Enterprise Client Member Server Baseline Policy to edit the linked GPO. 5. 6. or the NETWORK SERVICE accounts that are built-in accounts for the operating system. all NONoperating system service accounts Important: All NON-operating system service accounts are service accounts for specific applications in your enterprise. b. The value of this configuration change has diminished over the past few years since the release of attack tools that specify the SID (security identifier) of the built-in Administrator account to determine its true name and then break in to the server. Many variations of malicious code use the built-in Administrator account in an initial attempt to compromise a server. type gpupdate /Force and press ENTER to force the server to refresh the policy. 7. This configuration should not be changed.Member Server Baseline Policy. Support_388945a0. group. Close the Member Servers OU Properties window. and then select Properties. These accounts do not include LOCAL SYSTEM. Reboot the server. Select Enterprise Client – Member Server Baseline Policy. the built-in Administrator account is renamed and the description altered to help prevent compromise of a remote server by attackers who try to use this well-known account. and then click Edit. Guests. click Computer Configuration\Windows Settings\Security Setting\Local Policies\User Rights Assignment to add the unique security groups from the previous table for each right. Guests. On the Group Policy tab. To manually add the listed security groups to the Enterprise Client . A SID is the value that uniquely identifies each user. In the Group Policy window. Securing Well-Known Accounts Windows Server 2003 with SP1 has a number of built-in user accounts that cannot be deleted but can be renamed. Force replication between the domain controllers so that all have the policy applied to them by doing the following: a. 4. To add security groups to the User Rights Assignments In Active Directory Users and Computers. By default. all NONoperating system service accounts Built-in Administrator. computer account. 2. Support_388945a0. Close the Group Policy that you modified. 3. Guest . Open a command prompt. right-click the Member Servers OU. Verify in the event log that the Group Policy downloaded successfully and that the server can communicate with the other domain controllers in the domain. and logon session on a UNCLASSIFIED . 1. all NONoperating system service accounts Built-in Administrator. LOCAL SERVICE. the Guest account is disabled on member servers and domain controllers. complete the following steps. Therefore. Guest.

and change their passwords to long and complex values on every domain and server. For more information about how to secure service accounts. Use different names and passwords on each server. This support is not available with the file allocation table (FAT) or FAT32 file systems. Use the convert utility to carefully convert FAT partitions to NTFS. FAT32 is included in Windows 95 OSR2. However. All partitions on servers in all three environments that are defined in this guide are formatted with NTFS partitions to provide the means for file and directory security management through ACLs. an attacker who gains access to one member server will be able to gain access to all others with the same account name and password. However. and Windows Server 2003. Format all partitions on every server with NTFS. If the server is physically compromised. FAT32 is a version of the FAT file system that has been updated to permit significantly smaller default cluster sizes and to support hard disks up to two terabytes in size. For computers that run Windows 2003 Server with SP1. you can configure the Accounts: Rename administrator account setting to rename administrator accounts in all three environments that are defined in this guide.microsoft. your operations groups can easily monitor attempted attacks against the Administrator account if you rename it with a unique name.com/fwlink/?LinkId=41311. apply the following two security templates locally to configure the default file system ACLs for member servers and domain controllers respectively: • • %windir%\inf\defltsv.inf %windir%\inf\defltdc. It is not possible to change the SID of this built-in account. domain account passwords could be easily obtained by dumping LSA secrets. This setting was not implemented in the baseline policy because every organization should choose a unique name for this account. Microsoft Windows Me. see The Services and Service Accounts Security Planning Guide at http://go. but remember that the convert utility will set the ACLs for the converted drive to Everyone: Full Control.inf Note: The default domain controller security settings are applied during the promotion of a server to a domain controller. Windows 2000. This policy setting is a part of the Security Options settings of a GPO. Complete the following steps to secure well-known accounts on domains and servers: • • Rename the Administrator and Guest accounts. • • Note: The built-in Administrator account can be renamed through Group Policy. Securing Service Accounts Never configure a service to run under the security context of a domain account unless it is unavoidable.112 Windows Server 2003 Security Guide network. Windows 98. NTFS NTFS partitions support ACLs at the file and folder levels. Windows XP Professional. . Change the account descriptions to something other than the defaults to help prevent easy identification of the accounts. Record any changes that you make in a secure location. If the same account names and passwords are used on all domains and servers.

Chapter 4: The Member Server Baseline Policy 113 Terminal Services Settings The Set client connection encryption level setting determines the level of encryption for Terminal Services client connections in your environment.33 Recommended Error Reporting Settings Setting Turn off Windows Error Reporting Legacy Client Enabled Enterprise Client Enabled Specialized Security – Limited Functionality Enabled UNCLASSIFIED . Use this level when the terminal server runs in an environment that contains 128-bit clients only (such as Remote Desktop Connection clients).32 Terminal Services Encryption Levels Encryption level High level Description Encrypts data that is sent from client to server and from server to client with strong 128-bit encryption. Encrypts data that is sent between the client and the server at the maximum key strength that is supported by the client. Use this level when the terminal server runs in an environment that contains mixed or legacy clients. Client Compatible Low level Error Reporting Table 4. If your network contains such clients. You can configure this setting in Group Policy at the following location: Computer Configuration\Administrative Templates\Windows Components\ Terminal Services\Encryption and Security Table 4. Clients that do not support this level of encryption will not be able to connect. Important: Data sent from the server to the client is not encrypted. set the encryption level of the connection to send and receive data at the highest encryption level that is supported by the client. The High Level setting option that uses 128-bit encryption prevents an attacker from eavesdropping on Terminal Services sessions with a packet analyzer. Some older versions of the Terminal Services client do not support this high level of encryption. Encrypts data that is sent from the client to the server with 56-bit encryption.31 Client Connection Encryption Level Setting Recommendation Setting name in UI Set client connection encryption level Legacy Client High Enterprise Client High Specialized Security – Limited Functionality High The three available levels of encryption are described in the following table: Table 4.

sensitive information may be included in the Memory. If you generate a memory dump file on a server that is at risk for physical compromise. you must use SCW (the Security Configuration Wizard tool) and the security templates that are included with the downloadable version of this guide. Enable Manual Memory Dumps Windows Server 2003 with SP1 includes a feature that you can use to halt the computer and generate a Memory. During the MSBP creation steps you will probably remove the File server role from the list of detected roles. Ideally. be sure to delete the dump file after troubleshooting is concluded. This role is commonly configured on servers that do not require it and could be considered a security risk. When you create your own policy.dmp file to be generated with the keyboard at http://support. all servers are protected from unauthorized physical access. Windows component errors. which could be intercepted on the Internet and viewed by third parties. or program errors. However. The new installation is called a reference computer. which helps ensure that there are no legacy settings or software from previous configurations. the Microsoft privacy policy with regard to error reporting ensures that Microsoft will not use such data improperly. you should use hardware that is similar to the hardware that is used in your deployment to help ensure as much compatibility as possible. You should use a new installation of the operating system to begin your configuration work. The Turn off Windows Error Reporting setting can control whether the Error Reporting service transmits any data. you can follow the instructions that are provided in Windows feature allows a Memory. you can apply a second policy later in this process. If possible.114 Windows Server 2003 Security Guide This service helps Microsoft track and address errors. Creating the Baseline Policy Using SCW To deploy the necessary security settings. If you determine that it would be valuable to capture memory dumps on some servers. To do so. you first need to create a member server baseline policy (MSBP). You can configure this policy setting in Windows Server 2003 at the following location within the Group Policy Object Editor: Computer Configuration\Administrative Templates\System\Internet Communications Management\Internet Communications settings Configure the Turn off Windows Error Reporting setting to Enabled in the DCBP for all three environments that are defined in this guide.aspx?kbid=244139. Important: When memory is copied to disk as described in the referenced article.microsoft.com/default. To enable the File server role for servers that require it. You must explicitly enable this feature. . be sure to skip the "Registry Settings" and “Audit Policy” sections. and it may not be appropriate for all servers in your organization. This approach is necessary to ensure that the policy elements that are provided by the templates take precedence over those that would be configured by SCW. The Error Reporting service can report such errors to Microsoft through the Internet or to an internal file share. You can configure this service to generate reports for operating system errors. These settings are provided by the security templates for your chosen environment.dmp file. It is only available in Windows XP Professional and Windows Server 2003.dmp file. the data is transmitted in plaintext HTTP. Although error reports can potentially contain sensitive or even confidential data.

7. Add/Remove Windows Components. Add/Remove Programs. such as backup agents or antivirus software. Decide how to handle unspecified services in your environment. Ensure that any additional services that are required by your baseline. your test servers will have the same hardware and software configuration as your production servers. 8. Ideally. 16.Chapter 4: The Member Server Baseline Policy 115 To create the Member Server Baseline Policy 1. Remove the File server role from the listed of detected roles.inf). 2. 14. 3. or deploy the policies through a GPO. Member Server Baseline. When you start to author your policies. you should consider using the native SCW deployment facilities. 11. The native deployment method offers the advantage of the ability to easily roll back deployed policies from within SCW. are detected. such as the presence of unexpected services that are required by specific hardware devices. In the "Audit Policy" section. 5. and point it to the reference computer. EC-Member Server Baseline. Microsoft strongly recommends that you deploy it to your test environment. In the "Registry Settings" section. You should test this configuration before you deploy it to your production network because it may cause problems if your production servers run additional services that are not duplicated on your reference computer. click the Skip this section checkbox and then click Next.xml). UNCLASSIFIED . Test the Policy Using SCW After you create and save the policy. Join the computer to the domain. 12. Install the Security Configuration Wizard component on the computer through Control Panel. The appropriate ports and applications identified earlier are configured as exceptions for Windows Firewall. Ensure the Skip this section checkbox is unchecked in the "Network Security" section. You can use SCW to push a policy to a single server at a time. This approach will allow you to find and fix potential problems. 10. These policy settings are imported from the supplied INF file. and then click Next. Ensure that the detected client features are appropriate for your environment. select Create new policy. Ensure that the detected administrative options are appropriate for your environment. For extra security. 6. You can use the native SCW deployment facilities. Ensure that the detected server roles are appropriate for your environment. Examples include your software and management agents. 13. Install and configure only the mandatory applications that will be on every server in your environment. 15. Save the policy with an appropriate name (for example. These policy settings are imported from the supplied INF file. you may wish to configure this policy setting to Disable. Launch the SCW GUI. tape backup agents. and antivirus or antispyware utilities. 9. 4. Include the appropriate security template (for example. Create a new installation of Windows Server 2003 with SP1 on a new reference computer. click the Skip this section checkbox and then click Next. Two options are available to test the policy. or use Scwcmd to push the policy to a group of servers.

xml" /g:"Member Server Baseline Policy" Note: The information to be entered at the command prompt shows on more than one line here because of display limitations.xml> /g:<GPODisplayName> and then press ENTER. Summary This chapter explained the server hardening procedures that were initially applied to all of the servers that run Windows Server 2003 with SP1 in all three security environments that are defined in this guide. Most of these procedures created a unique security template for each security environment and imported it into a GPO that is linked to the parent OU for the member server to achieve the targeted level of security. For example. To verify that Windows Firewall is active. Windows Firewall must be active on the local computer for this procedure to complete successfully. Convert and Deploy the Policy After you thoroughly test the policy. After you apply the configuration changes. if the server is configured as a certification authority (CA). For example: scwcmd transform /p:"C:\Windows\Security\msscw\Policies\Member Server Baseline. You should now perform a final test to ensure that the GPO applies the desired settings. . open Control Panel and then double-click Windows Firewall. download a certificate revocation list.microsoft. Note that if the SCW security policy file contains Windows Firewall settings.com/WindowsServer/en/Library/5254f8cd-143e-4559-a2999c723b3669461033. However. This information should all be entered on one line. confirm that the appropriate settings were made and that functionality is not affected.mspx and the Security Configuration Wizard Documentation at http://go. Use the Group Policy Management Console to link the newly created GPO to the appropriate OU. type the following command: scwcmd transform /p:<PathToPolicy. ensure that clients can request and obtain certificates. you should begin to verify the core functionality of the computer. you can use Scwcmd as shown in the following procedure to convert the policies to GPOs. When you are confident in your policy configurations. At the command prompt. 2. Guidance was provided about how to configure these settings manually. Additional steps were taken for specific server roles to enable them to function within their roles as securely as possible. some of these hardening procedures cannot be applied through Group Policy.com/fwlink/?linkid=43450. For more details about how to test SCW policies. complete the following steps to convert it into a GPO and deploy it: 1. see the Deployment Guide for the Security Configuration Wizard at http://technet2. and so on. To complete this procedure. The policy is tested to ensure that the application of this policy to the target servers will not adversely affect their critical functions.116 Windows Server 2003 Security Guide This capability can be very useful when you make multiple changes to your policies during the test process.microsoft.

microsoft. For more information about how to customize the Security Configuration Editor user interface. see the Security Setting Descriptions page at http://technet2. see “Securing Windows 2000 Terminal Services” at www. see the Windows Server 2003 Security Center at www. see the Differences in default security settings page at http://technet2. More Information The following links provide additional information about topics that relate to hardening servers that run Windows Server 2003 with SP1. see the Microsoft Knowledge Base article “HOW TO: Create Custom Administrative Templates in Windows 2000” at http://support. • For more information about Windows Server 2003 security settings. For more details about how to harden the settings for Windows Sockets applications. see the Microsoft Knowledge Base article "Internet Server Unavailable Because of Malicious SYN Attacks" at http://support. see the Microsoft Knowledge Base article “How to Add Custom Registry Settings to Security Configuration Editor” at http://support. For more information about the location of .microsoft.com/WindowsServer/en/Library/589980fb-1a83490e-a745-357750ced3d91033.microsoft. For more information about how to create custom administrative template files in Windows. UNCLASSIFIED • • • • • • • • • • • .com/technet/prodtechnol/win2kts/maintain/optimize/secw2kts. see the Microsoft Knowledge Base article "Location of ADM (Administrative Template) Files in Windows" at http://support.mspx. For more information about security for Windows Server 2003. see the User rights page at http://technet2.mspx.com/technet/prodtechnol/windowsserver2003/technologies/managem ent/gp/admtgp.microsoft.microsoft.adm files.Chapter 4: The Member Server Baseline Policy 117 Server role-specific steps include both additional hardening procedures and procedures to reduce the security settings in the baseline security policy.mspx. see the Auditing Policy page at http://technet2. For more information about how to secure Windows 2000 Terminal Services.com/?kbid=214752.microsoft.microsoft.mspx. For more information about Microsoft Operations Manger (MOM).microsoft. For more information about default security settings for Windows Server 2003.mspx. For more information about how to secure the Windows Server 2003 TCP/IP stack.com/?kbid=228460. Also review the white paper “Using Administrative Template Files with Registry-Based Group Policy” at www.mspx.microsoft.com/WindowsServer/en/Library/dd980ca3-f686-4ffc-a61750c6240f55821033.com/?kbid=324270.microsoft.com/mom/.microsoft.com/?kbid=142641. see the Microsoft Knowledge Base article "How To Harden the TCP/IP Stack Against Denial of Service Attacks in Windows Server 2003" at http://support. For more information about audit policy for Windows Server 2003.mspx. see the Microsoft Operations Manager page at www. These changes are discussed in detail in the following chapters of this guide.com/WindowsServer/en/Library/6847e72b9c47-42ab-b3e3-691addac9f331033.microsoft.microsoft. For more information about user rights in Windows Server 2003.com/WindowsServer/en/Library/1494bf2c-b596-4785-93bbbc86f8e548d51033.com/technet/security/prodtech/windowsserver2003.com/?kbid=323639.

see the Microsoft Knowledge Base article "Service overview and network port requirements for the Windows Server system" at http://support. • • • • • • . see the Default settings for services page at http://technet2.microsoft.aspx.0 Domain" at http://support.com/?kbid=305379. For more information about NTLMv2 authentication.com/resources/satech/cer/. see the Corporate Error Reporting page at www. see the Microsoft Knowledge Base article "Authentication Problems in Windows 2000 with NTLM 2 Levels Above 2 in a Windows NT 4.microsoft.microsoft.com/?kbid=239869.microsoft.118 Windows Server 2003 Security Guide • For more information about ensuring that more secure LAN Manager authentication level settings work in networks with a mix of Windows 2000 and Windows NT 4.com/technet/technetmag/issues/2005/01/SmartCards/default. For information about network ports used by Microsoft applications. For more information about the "Restrict Anonymous" registry value and Windows 2000. see the Microsoft Knowledge Base article "How to enable NTLM 2 authentication" at http://support.microsoft. see “Get Smart! Boost Your Network’s IQ With Smart Cards” at www.microsoft.0 computers.com/?kbid=296405. For more information about error reporting. For more information about smart card deployment. see the Microsoft Knowledge Base article “The "RestrictAnonymous" Registry Value May Break the Trust to a Windows 2000 Domain” at http://support.microsoft.mspx.com/WindowsServer/en/Library/2b1dc6cf-2e34-4681-9aa68d0ffba2d3e31033.com/kb/832017. For more information about the default settings for services in Windows Server 2003.

Any loss or compromise of a domain controller in such an environment could seriously affect client computers. domain controllers should always be stored in physically secure locations that are accessible only to qualified administrative staff. and applications that rely on domain controllers for authentication.inf files that are included with this guide for the Legacy Client (LC). "The Member Server Baseline Policy" to fully understand the many policy settings that are also included in the DCBP. When domain controllers must be stored in unsecured locations. servers. Domain controller templates are uniquely designed to address the security needs of the three environments that are defined in this guide. Domain Controller Baseline Policy Unlike the other server role policies that are detailed later in this guide. you should carefully review Chapter 4. Enterprise Client (EC). such as branch offices. Only the DCBP settings that differ from those in the MSBP are documented in this chapter. For example. The following table shows the domain controller .inf file is the security template for the Enterprise Client environment.UNCLASSIFIED Chapter 5: The Domain Controller Baseline Policy Overview Addressing security in the Domain Controller server role is one of the most important aspects of any environment with computers that run Microsoft® Windows Server™ 2003 with Service Pack 1 (SP1) and the Active Directory® directory service. and a centralized lightweight directory access protocol (LDAP) directory. UNCLASSIFIED . "The Member Server Baseline Policy. Therefore. Because of their importance. the Group Policy for the Domain Controllers server role is a baseline policy like the Member Server Baseline Policy (MSBP) defined in Chapter 4. the EC-Domain Controller. Most of the DCBP is copied from the MSBP." The Domain Controller Baseline Policy (DCBP) is linked to the Domain Controllers organizational unit (OU) and takes precedence over the Default Domain Controllers Policy. The policy settings that are included in the DCBP will strengthen the overall security of all domain controllers in any environment. several security settings can be adjusted to limit the potential damage from physical threats. Group Policy. and Specialized Security – Limited Functionality (SSLF) environments.

1 Domain Controller Baseline Security Templates Legacy Client LC-Domain Controller.inf Note: Domain operations could be severely impaired if an incorrectly configured Group Policy object (GPO) is linked to the Domain Controllers OU. Failure audits generate an audit entry when a user unsuccessfully attempts to access an Active Directory object that has a specified SACL. The Audit directory service access setting is configured to No auditing in the LC and EC environments. failures. you can specify whether to audit successes.3 Directory Service Access Events Event ID Event description ID 566 Description A generic object operation took place. Table 5. You should only enable this setting if you actually intend to use the information that is created. a large volume of entries can be generated in the Security logs on domain controllers. see Chapter 4. For more information.inf Enterprise Client EC-Domain Controller. or not audit the event type at all. If you enable the Audit directory service access setting in the DCBP and configure SACLs on directory objects. If you define the Audit directory service access setting.2 Recommended Audit Policy Settings Setting Audit directory service access Legacy Client No auditing Enterprise Client No auditing Specialized Security – Limited Functionality Failure Audit directory service access This policy setting determines whether to audit user access to an Active Directory object that has its own specified system access control list (SACL).120 Windows Server 2003 Security Guide Table 5. Table 5." The policy settings in the DCBP ensure that all the relevant security audit information is logged on the domain controllers. and verify that all imported policy settings are correct before you link a GPO to the Domain Controllers OU. It is configured to log Failure events in the SSLF environment. . Success audits generate an audit entry when a user successfully accesses an Active Directory object that has a specified SACL. Audit Policy Settings The Audit policy settings for domain controllers are almost the same as those specified in the MSBP.inf Specialized Security – Limited Functionality SSLF-Domain Controller. The following table includes the important security events that the Audit directory service access setting records in the Security log. "The Member Server Baseline Policy. Use extreme care when you import these security templates.

Chapter 5: The Domain Controller Baseline Policy

121

User Rights Assignment Settings
The DCBP specifies a number of user rights assignments for the domain controllers. In addition to the default configuration, several user rights settings were modified to strengthen the security for the domain controllers in the three environments that are defined in this guide. This section provides details about the prescribed user rights settings for the DCBP that differ from those in the MSBP. For a summary of the prescribed settings in this section, refer to the Microsoft Excel® workbook "Windows Server 2003 Security Guide Settings" that is included with the downloadable version of this guide. The following table summarizes the recommended user rights assignment settings for the DCBP. Additional information for each setting is provided in the sections that follow the table. Table 5.4 Recommended User Rights Assignments Settings Setting Legacy Client Enterprise Client Specialized Security – Limited Functionality Administrators, Authenticated Users, ENTERPRISE DOMAIN CONTROLLERS Administrators Administrators

Access this computer from the network

Not defined

Not defined

Add workstations to domain Allow log on locally

Not defined Administrators, Server Operators, Backup Operators Administrators Administrators, LOCAL SERVICE Not Defined

Not defined Administrators, Server Operators, Backup Operators Administrators Administrators, LOCAL SERVICE Not Defined

Allow log on through Terminal Services Change the system time Enable computer and user accounts to be trusted for delegation Load and unload device drivers Restore files and directories Shutdown the system

Administrators Administrators, LOCAL SERVICE Administrators

Administrators Administrators Administrators

Administrators Administrators Administrators

Administrators Administrators Administrators

Access this computer from the network
This policy setting determines which users and groups are allowed to connect to the domain controller over the network. It is required by a number of network operations, including Active Directory replication between domain controllers, authentication requests

UNCLASSIFIED

122

Windows Server 2003 Security Guide

to domain controllers from users and from computers, and for access to shared folders and printers. Although permissions that are assigned to the Everyone security group no longer provide access to anonymous users in Windows Server 2003 with SP1, guest groups and accounts can still be provided with access through the Everyone security group. For this reason, the Everyone security group is removed from the Access this computer from the network user right in the DCBP for the SSLF environment. Removal of this group provides an extra safeguard against attacks that target guest access to the domain. This policy setting is configured to Not defined for the LC and EC environments.

Add workstations to domain
This policy setting specifies which users can add computer workstations to a specific domain. For this policy setting to take effect, it must be assigned to the user as part of the Default Domain Controller Policy for the domain. A user who has been assigned this right can add up to 10 workstations to the domain. Users who have been assigned the Create Computer Objects permission for an OU or the Computers container in Active Directory can add an unlimited number of computers to the domain, regardless of whether they have been assigned the Add workstations to a domain user right. By default, all users in the Authenticated Users group have the ability to add up to 10 computer accounts to an Active Directory domain. These new computer accounts are created in the Computers container. In Windows–based networks, the term security principal is defined as a user, group, or computer that is automatically assigned a security identifier to control access to resources. In an Active Directory domain, each computer account is a full security principal with the ability to authenticate and access domain resources. However, some organizations may want to limit the number of computers in an Active Directory environment so that they can consistently track, build, and manage the computers. If users are allowed to add computers to the domain, tracking and management efforts would be hampered. Also, users could perform activities that are more difficult to trace because of their ability to create additional unauthorized domain computers. For these reasons, the Add workstations to domain user right is assigned only to the Administrators group in the DCBP for the SSLF environment. This policy setting is configured to Not defined for the LC and EC environments.

Allow log on locally
This policy setting specifies which users can start interactive sessions on the domain controller. Users who do not have this right are still able to start a remote interactive session on the domain controller if they have been assigned the Allow logon through Terminal Services user right. You should restrict the number of accounts that can log on to domain controller consoles to help prevent unauthorized access to domain controller file systems and system services. A user who is able to log on to the console of a domain controller could maliciously exploit the computer and possibly compromise the security of an entire domain or forest. By default, the Account Operators, Backup Operators, Print Operators, and Server Operators groups are assigned the Allow log on locally user right on domain controllers. Users in these groups should not need to log on to a domain controller to perform their management tasks, and they should be able to perform their duties from

Chapter 5: The Domain Controller Baseline Policy

123

other workstations. Only users in the Administrators group should perform maintenance tasks on domain controllers. If you assign the Allow log on locally user right only to the Administrators group, physical and interactive domain controller access is limited to only highly trusted users, which enhances security. For this reason, the Allow log on locally user right is assigned only to the Administrators group in the DCBP for the SSLF environment. This policy setting is configured to include the Server Operators and Backup Operators groups for the LC and EC environments.

Allow log on through Terminal Services
This policy setting specifies which users can log on to the domain controller through a Remote Desktop connection. You should restrict the number of accounts that can log on to domain controller consoles through Terminal Services to help prevent unauthorized access to domain controller file systems and system services. A user who is able to log on to the console of a domain controller through Terminal Services can exploit that computer and possibly compromise the security of an entire domain or forest. If you assign the Allow log on through Terminal Services user right only to the Administrators group, interactive domain controller access is limited to only highly trusted users, which enhances security. For this reason, the Allow log on through Terminal Services user right is assigned only to the Administrators group in the DCBP for all three environments that are defined in this guide. Although logon to a domain controller through Terminal Services requires administrative access by default, configuration of this policy setting helps protect against inadvertent or malicious actions that might compromise the network. As an additional security measure, the DCBP denies the default Administrator account the Allow log on through Terminal Services user right. This configuration prevents attempts by malicious users to remotely break into a domain controller with the default Administrator account. For more details about this policy setting, see Chapter 4, "The Member Server Baseline Policy."

Change the system time
This policy setting specifies which users can adjust the time on a computer's internal clock. However, it is not needed to change the time zone or other display characteristics of the system time. Synchronized system time is critical to the operation of Active Directory. Proper Active Directory replication and authentication ticket generation processes that are used by the Kerberos authentication protocol rely on time being synchronized across any environment. A domain controller clock that is not synchronized with the system time on other domain controllers in the environment could interfere with the operation of domain services. If only administrators are allowed to modify system time, the possibility of incorrect system time on a domain controller is minimized. By default, the Server Operators group has the ability to modify system time on domain controllers. Because of the problems that could be caused by incorrect modification of a domain controller's clock by members of this group, the Change the system time user right is assigned in the DCBP to only the Administrators group and the Local Service account for all three environments that are defined in this guide.

UNCLASSIFIED

124

Windows Server 2003 Security Guide

For more information on the Microsoft Windows® Time Service, see the Windows Time Service Technical Reference at http://technet2.microsoft.com/WindowsServer/en/Library/a0fcd250-e5f7-41b3-b0e8240f8236e2101033.mspx.

Enable computer and user accounts to be trusted for delegation
This policy setting specifies which users can change the Trusted for Delegation setting on a user or computer object in Active Directory. Delegation of authentication is a capability that is used by multi-tier client/server applications. It allows a front-end service, such as an application, to use the credentials of a client in authenticating to a back-end service, such as a database. For such authentication to be possible, both client and server must run under accounts that are trusted for delegation. Misuse of this user right could allow unauthorized users to impersonate other users on the network. An attacker could exploit this user right to gain access to network resources as if they were a different user, which could make it difficult to determine what has happened after a security incident. The Enable computer and user accounts to be trusted for delegation user right is assigned only to the Administrators group on domain controllers for the SSLF environment. This policy setting is configured to Not defined for the LC and EC environments.
Note: Although the Default Domain Controllers Policy assigns the Administrators group this user right, the DCBP enforces this right in the SSLF environment only because it was originally based on the MSBP. The MSBP assigns this right a null value.

Load and unload device drivers
This policy setting specifies which users can load and unload device drivers, and is necessary to load and unload Plug and Play devices. Careless device driver management on domain controllers provides opportunities for bugs or malicious code to adversely impact the operation of the domain controllers. If the accounts that can load and unload device drivers are restricted in the DCBP to only the most trusted users, you minimize the potential for device drivers to be used to compromise domain controllers. By default, the Load and unload device drivers user right is assigned to the Print Operators group. As mentioned earlier, creation of printer shares is not recommended on domain controllers, which removes the need for Print Operators to have the ability to load and unload device drivers. Therefore, the Load and unload device drivers user right is assigned only to the Administrators group in the DCBP for all three environments that are defined in this guide.

Restore files and directories
This policy setting specifies which users can circumvent file and directory permissions during the restore process. Any valid security principal could be set as the owner of an object. An account that has the ability to restore files and directories to the file system of a domain controller can easily modify executable files. Malicious users could exploit this capability to not only render a domain controller useless, but also to compromise the security of a domain or an entire forest.

Shutdown the system This policy setting specifies which users can shut down the local computer. and Backup Operators groups. If you remove this user right from these groups and assign it only to the Administrators group. the Shutdown the system user right is assigned to the Administrators. In secure environments. Domain Controller Settings Table 5. A successful elevation of privilege attack on a domain controller compromises the security of a domain or an entire forest. By default.Chapter 5: The Domain Controller Baseline Policy 125 By default." Differences between the MSBP and the DCBP policy settings are described in the following sections. none of these groups except Administrators require this right to perform administrative tasks. the Shutdown the system user right is assigned only to the Administrators group in the DCBP for all three environments that are defined in this guide. Server Operators. For this reason. see Chapter 4. An attacker could exploit this user right to launch an elevation of privilege attack on a domain controller's account when it restarts services.5 Security Options: Domain Controller Setting Recommendations Setting Allow server operators to schedule tasks LDAP server signing requirements Refuse machine account password changes Legacy Client Enterprise Client Disabled Not defined Disabled Disabled Not defined Disabled Specialized Security – Limited Functionality Disabled Require signing Disabled Domain controller: Allow server operators to schedule tasks This policy setting determines whether members of the Server Operators group are allowed to submit jobs by means of the AT schedule facility. For more information. the likelihood of domain controller compromise by improper modifications to the file system is reduced. "The Member Server Baseline Policy. The Domain controller: Allow server operators to schedule tasks setting is configured to Disabled in the DCBP for all three environments that are defined in this UNCLASSIFIED . Print Operators. Malicious users with the ability to shut down domain controllers can easily initiate a denial of service (DoS) attack that could severely affect an entire domain or forest. the Restore files and directories user right is assigned to the Server Operators and Backup Operators groups. Therefore. Security Options Most of the security option settings for domain controllers are the same as those specified in the MSBP. the Restore files and directories user right is assigned only to the Administrators group in the DCBP for all three environments that are defined in this guide.

Domain controller: Refuse machine account password changes This policy setting determines whether domain controllers will refuse requests from member computers to change computer account passwords. Network Security Settings Table 5. . Note: An AT Service Account can be modified to select a different account rather than the LOCAL SYSTEM account. The LM hash is relatively weak and prone to attack compared to the cryptographically stronger Windows NT® hash. This policy setting is configured to Require signing in the DCBP for the SSLF environment because all computers in this environment run either Windows 2000 or Windows Server 2003. including those in the Server Operators group. If all domain controllers run Windows 2000 or Windows Server 2003. For an LDAP server. and then click Accessories folder. If you enable this policy setting on all domain controllers in a domain. configure the Domain controller: LDAP server signing requirements setting to Require signing. the Domain controller: Refuse machine account password changes setting is configured to Disabled in the DCBP for all three environments that are defined in this guide. The impact of this policy setting configuration should be small for most organizations. which is the DCBP configuration for the LC and EC environments. Then click AT Service Account on the Advanced menu. leave this policy setting configured as Not defined. modifies them.126 Windows Server 2003 Security Guide guide. Otherwise. and then forwards them to the client. To change the account. an attacker could cause a client to make decisions that are based on false records from the LDAP directory. Domain controller: LDAP server signing requirements This policy setting determines whether the LDAP server requires a signature before it will negotiate with LDAP clients. Users. Therefore. will still be able to create jobs by means of the Task Scheduler Wizard. computer account passwords on domain members will not be able to be changed and they will be more susceptible to attack. but those jobs will run in the context of the account with which the user authenticates when they set up the job.6 Security Options: Network Security Settings Recommendations Setting Do not store LAN Manager hash value on next password change Legacy Client Enabled Enterprise Client Enabled Specialized Security – Limited Functionality Enabled Network security: Do not store LAN Manager hash value on next password change This policy setting determines whether the LAN Manager (LM) hash value for the new password is stored when the password is changed. Network traffic that is neither signed nor encrypted is susceptible to man-in-the-middle attacks in which an intruder captures packets between the server and the client. click Scheduled Tasks. open System Tools.

review the needs of your organization to determine the groups you want to restrict. If your organization adds users to the Server Users group. the Restricted Groups setting allows you to manage the membership of groups in Windows Server 2003 with SP1 through Active Directory Group Policy." The baseline settings in the DCBP ensure that all the relevant security audit information is logged on the domain controllers. Note: If your organization uses any of these groups. Restricted Groups As described in the previous chapter. you can define its members and any other groups to which it belongs. Groups can only be restricted with security templates. including Directory Services Access.7 Restricted Groups Recommendations Local Group Backup Operators Server Operators Legacy Client No members No members Enterprise Client No members No members Specialized Security – Limited Functionality No members No members The Restricted Groups setting can be configured in Windows Server 2003 with SP1 at the following location in the Group Policy Object Editor: Computer Configuration\Windows Settings\Security Settings\Restricted Groups\ To configure restricted groups for a GPO. the DCBP enables the Network security: Do not store LAN Manager hash value on next password change setting in all three environments that are defined in this guide. see Chapter 4. First. For domain controllers. If you do not specify these group members. For more information. Also. When a group is restricted. For example. the group is left totally restricted. all accounts will be required to change their password if you enable this policy setting.Chapter 5: The Domain Controller Baseline Policy 127 For this reason. UNCLASSIFIED . they still have powerful capabilities. you may want to implement the optional file system permissions that are described in the “Securing the File System” section in the previous chapter. then carefully control their membership and do not implement the guidance for the Restricted Groups setting. Windows 95 and Windows 98 will fail if they do not have the Active Directory Client Extension installed. administrators can add the desired group directly to the Restricted Groups node of the GPO namespace. "The Member Server Baseline Policy. Event Log Settings The event log settings for domain controllers are the same as those that are specified in the MSBP. Note: Older operating systems and some third-party applications may fail if you enable this policy setting. Although members of the Server Operators and Backup Operator groups have less access than members in the Administrators group. the Server Operators and Backup Operators groups are restricted in all three environments that are defined in this guide. Table 5.

Additional Security Settings This section describes modifications that must be made to the DCBP manually. you will need to log on locally to correct the mistake. Also. Select Add Group.exe) and add the Security Templates Add-in. Open the Security Templates Management Console. Warning: The following table contains values for the built-in Administrator account. for the SSLF environment. start the Microsoft Management Console (mmc. Right-click Restricted Groups. User rights assignments that must be configured manually are specified in the following table. If you add the Administrators security group to any of the following deny access user rights.microsoft. Microsoft recommends that you restrict any built-in group you do not plan to use in your organization. Versions of Windows XP with SP1 and SP2 as well as Windows Server 2003 support more complex designs. all members—users and groups—of the Server Operators and Backup Operators groups were removed to totally restrict them in both environments. and then the Find Now button to list all available groups. Double-click the Restricted Groups item. – or – Click the Advanced button. Select the groups you want to restrict. see the Microsoft Knowledge Base article “Updates to Restricted Groups ("Member of") Behavior of User-Defined Local Groups” at http://support. and then click OK.128 Windows Server 2003 Security Guide To view or modify the Restricted Groups setting 1. as well as additional settings and countermeasures that cannot be implemented through Group Policy. and then click OK. 7. Type the group name in the Enter the object names to select text box and then click the Check Names button. However. 6. To add it. if you renamed the built-in Administrator account in . 2. and then the configuration file. Note: Typically. Double-click the configuration file directory. Also. 5.aspx?kbid=810076. Click the Browse button. Note: The configuration of Restricted Groups that is described in this section is very simple. this action will cause a local computer to display at the top of the list. 8.com/default. 4. all members were removed for the Remote Desktop Users group. This account is not to be confused with the built-in Administrators security group. there are a few accounts and security groups that cannot be included in the templates because their security identifiers (SIDs) are specific to individual Windows Server 2003 domains. Click OK on the Add Groups dialog box to close it. For more information. In this guidance. 9. Manually Adding Unique Security Groups to User Rights Assignments Most user rights assignments that are applied through the DCBP are properly specified in the security templates that accompany this guide. Note: The Security Templates Management Console is not added to the Administrative Tools menu by default. select the locations you want to browse. 3. then Locations.

Chapter 5: The Domain Controller Baseline Policy 129 accordance with the recommendations in Chapter 4. all NON-operating system service accounts Enterprise Client Built-in Administrator. you will gain the added benefit of improved domain controller performance. Support_388945a0. Guest. Information is needed from all domain controllers in the environment. and directory searches. Support_388945a0. but does NOT include LOCAL SYSTEM. all NONOperating System service accounts Support_388945a0 and Guest Built-in Administrator. You can move the Ntds." ensure that you select the newly renamed administrator account when you add the account to any deny access user rights.8 Manually Added User Rights Assignments Setting Deny access to this computer from the network Legacy Client Built-in Administrator. including user logon processes.dit. UNCLASSIFIED . Table 5. More log information will allow administrators to perform meaningful audits if hacker attacks occur. all NON-operating system service accounts Deny log on as a batch job Deny log on through Terminal Services Important: “All non-operating system service accounts” includes service accounts that are used for specific applications across an enterprise. all NONOperating System service accounts Support_388945a0 and Guest Built-in Administrator. all NONOperating System service accounts Support_388945a0 and Guest Built-in Administrator.edb files from their default location. You can increase the maximum size of the log files to support this effort. Support_388945a0. Relocating Data – Active Directory Database and Log Files To maintain directory integrity and reliability. and availability of Active Directory. "The Member Server Baseline Policy. which will help to conceal them from an attacker if a domain controller is compromised. authentication. it is essential that you safeguard the Active Directory database and its log files. These files should be moved for all three environments that are defined in this guide. this guide recommends that you move the Active Directory database and log files for the domain controllers to a striped or striped/mirrored disk volume that does not contain the operating system. Guest.log. reliability. Edb. and Temp. Guest. For these reasons. LOCAL SERVICE or the NETWORK SERVICE accounts (the built-in accounts that the operating system uses). Resizing Active Directory Log Files An adequate amount of information must be logged to effectively monitor and maintain the integrity. Directory Services Domain controllers that run Windows Server 2003 with SP1 store directory data and manage user and domain interactions. If you move the files off the system volume to a separate physical disk. all NON-operating system service accounts Specialized Security – Limited Functionality Built-in Administrator.

Syskey in Mode 1 allows an attacker to read and alter the contents of the directory. Password Startup More secure Uses a computer-generated random key as the system key and stores an encrypted version of the key on the local computer. password information is stored in Active Directory. Using Syskey On domain controllers. However. The logistics of Syskey password or floppy disk management can be quite complex.M. Most secure Uses a computer-generated random key and stores the key on a floppy disk. Store Startup Key Locally Security level Secure Description Uses a computer-generated random key as the system key and stores an encrypted version of the key on the local computer. the proper operational processes must be implemented in your environment to meet specific availability requirements for the domain controllers. and enables the user to restart the computer without the need for an administrator to enter a password or insert a disk. to enter .130 Windows Server 2003 Security Guide This guide recommends that you increase the maximum size of the Directory Service and File Replication Service log files from the 512 KB default to 16 MB on the domain controllers in the three environments that are defined in this guide. For example. it can be very expensive to require one of your branch managers or local administrative staff to come to the office at 3 A. The floppy disk that contains the system key is required for the computer to start. especially in branch offices. The system key password is not stored anywhere on the computer. It is not unusual for password-cracking software to target the Security Accounts Manager (SAM) database or directory services to access passwords for user accounts. which would render the domain controller easily vulnerable to an attacker with physical access. To take advantage of the added protection provided by these Syskey modes. This option provides strong encryption of password information in the registry. From a security standpoint. The System Key utility (Syskey) provides an extra line of defense against offline password-cracking software. Store Startup Key on Floppy Disk Syskey is enabled on all Windows Server 2003 with SP1 servers in Mode 1 (obfuscated key). Mode 3: System Generated Password. Syskey uses strong encryption techniques to secure account password information that is stored in the SAM on the domain controller. the operational need to restart domain controllers tends to make Syskey Mode 2 or Mode 3 difficult to support. However. Mode 2: Administrator generated password. and it must be inserted at a prompt during the startup sequence. this configuration appears sensible at first. There are many reasons to recommend using Syskey in Mode 2 (console password) or Mode 3 (floppy storage of Syskey password) for any domain controller that is exposed to physical security threats. The key is also protected by an administrator-chosen password.9 Syskey Modes System Key option Mode 1: System Generated Password. The system key is not stored anywhere on the computer. Table 5. Users are prompted for the system key password when the computer is in the initial startup sequence.

To create or update a system key 1. clients may be unknowingly redirected to unauthorized computers. The following sections provide several recommendations and explanations about how to safeguard DNS servers.Chapter 5: The Domain Controller Baseline Policy 131 passwords or insert a floppy to enable user access. With the proper operational procedures in place. IP spoofing and cache poisoning are examples of this type of attack. Click Start. and then click OK. In IP spoofing. If this happens. Some hardware vendors have add-on solutions that allow you to remotely access server consoles. Syskey can provide an increased level of security to protect sensitive directory information on domain controllers. such as domain controllers. the unauthorized computers may attempt to gain access to information on the client computers. If a DNS server responds with invalid addresses. There is no method for you to recover a domain controller if the Syskey password or floppy disk is lost. type syskey. If an attacker controls this information. clients and servers cannot locate the resources they need to function. one possible goal of the attacker is to control the DNS information that is returned in response to DNS client queries. Syskey Mode 2 or Mode 3 is recommended for domain controllers in locations without strong physical storage security. If client computers are allowed to communicate with unauthorized computers. the domain controller must be rebuilt. Part of the reason for this recommendation is because Active Directory zone integration makes it simpler to secure the DNS infrastructure in an environment that uses Active Directory-integrated DNS than in an environment that does not use Active Directory-integrated DNS. Some DoS attacks could alter DNS records in legitimate DNS servers to provide invalid addresses in response to client queries. 2. 3. This configuration applies to domain controllers in all three environments that are described in this guide. the loss of the Syskey password or floppy disk would leave your domain controller in a state where it cannot be restarted. if you decide to allow your centralized IT operations personnel to provide the Syskey password remotely. When a DNS server is attacked. Active Directory-Integrated DNS Microsoft recommends the use of Active Directory-integrated DNS in the three environments that are defined in this guide. Such expensive requirements can make the achievement of high availability service level agreements (SLAs) a significant challenge. For these reasons. Click Encryption Enabled. Finally. additional hardware is required. Web servers. Cache poisoning is an attack in which an unauthorized host transmits false information about another host into the cache of a DNS server. or file shares. and then click OK. Not all attacks focus on spoofing DNS servers. Click the desired option. and then click Update. a transmission is given the IP address of an authorized user to obtain access to a computer or network. Protecting DNS Servers It is essential to safeguard DNS servers in any Active Directory environment. click Run. Alternatively. The attack causes clients to be redirected to unauthorized computers. UNCLASSIFIED .

This method severely limits the ability of an attacker to compromise the integrity of a DNS server. If a dynamic DNS server is configured to accept unsecured updates. This transfer can be easily accomplished with tools such as Nslookup. which helps ensure that the IP addresses of the DNS servers are not spoofed by other computers. At worst. . an attacker can overwrite or delete legitimate entries in the DNS database. the routers that are used in the three environments that are defined in this guide are configured to drop spoofed IP packets. a compromised DNS server can be instructed to return the address of an unauthorized server. Limiting Zone Transfers to Authorized Systems Because of the importance of zones in DNS. the Active Directory DNS servers in the three environments that are defined in this guide are configured to accept only secure dynamic updates. Active Directory-integrated DNS servers in the three environments that are defined in this guide are configured to allow zone transfers. directory-integrated Web servers. an attacker could transmit malicious or unauthorized updates from a client computer that supports the DNS dynamic update protocol. Then. the client might be tricked and convinced to transmit secure information to the unauthorized server. A server’s disk space could be exhausted by a huge zone file that is filled with dummy records or large numbers of entries that slow down replication. Such tools can expose the entire domain's DNS dataset. • • Use of secure dynamic DNS updates guarantees that registration requests are only processed if they are sent from valid clients in an Active Directory forest. or Microsoft SQL Server™ databases.132 Windows Server 2003 Security Guide For these reasons. they should be available from more than one DNS server on the network to provide adequate availability and fault tolerance for name resolution queries. zone transfers are required to replicate and synchronize all copies of the zone for each server that is configured to host the zone. For these reasons. Configuring Secure Dynamic Updates The DNS client service in Windows Server 2003 with SP1 supports dynamic DNS updates. When domain controllers cannot locate other domain controllers. When additional servers host a zone. they cannot access the directory. including such things as which hosts serve as domain controllers. Such an attacker could accomplish any of the following: • Direct clients to unauthorized domain controllers. For these reasons. a DNS server that does not limit who can request zone transfers is vulnerable to transfer of the entire DNS zone to anyone who requests it. which creates a DoS condition that could affect users throughout a forest. directory replication stops. When a client submits a DNS query to find the address of a domain controller. If clients cannot locate servers. which allow client computers to add DNS records directly into the database. with the use of other non-DNS related attacks. Create a DoS condition. Respond to DNS queries with invalid addresses. At a minimum.exe. Clients and servers would be unable to locate one another. Also. but to limit which computers can make transfer requests. an attacker can add false entries to the DNS database.

Securing Well-Known Accounts Windows Server 2003 with SP1 has a number of built-in user accounts that cannot be deleted but can be renamed. This policy setting was not implemented in any of the security templates that are provided with this guide because every organization should choose a unique name for this account. By default. This configuration should not be changed. an attacker who gains access to one member server will be able to gain access to all others with the same account name and password. Many variations of malicious code use the built-in Administrator account in an initial attempt to compromise a server. You can increase the maximum size of the DNS service log file. Information is needed from all domain controllers in the environment. For more information about how to secure UNCLASSIFIED . and change their passwords to long and complex values on every domain and server. group. Complete the following steps to secure well-known accounts on domains and servers: • • Rename the Administrator and Guest accounts. you should rename the built-in Administrator account and alter its description to help prevent compromise of remote servers by attackers who try to use this well-known account. Also. The value of this configuration change has diminished over the past few years since the release of attack tools that specify the security identifier (SID) of the built-in administrator account to determine its true name and then break in to the server. you can configure the Accounts: Rename administrator account setting to rename administrator accounts in all three environments that are defined in this guide. which will allow administrators to perform meaningful audits in the event of an attack. computer account. the Guest account is disabled on member servers and domain controllers. It is not possible to change the SID of this built-in account. your operations groups can easily monitor attempted attacks against this Administrator account if you rename it with a unique name. Change the account descriptions to something other than the defaults to help prevent easy identification of the accounts.Chapter 5: The Domain Controller Baseline Policy 133 Resizing the Event Log and DNS Service Log An adequate amount of information must be logged to effectively monitor and maintain the DNS service. domain account passwords could be easily obtained by dumping LSA secrets. ensure that the Overwrite events as needed option in the DNS service is selected to maximize the amount of log entries preserved. A SID is the value that uniquely identifies each user. This guide recommends that you increase the maximum size of the DNS service log file to at least 16 MB on the domain controllers in the three environments that are defined in this guide. Securing Service Accounts Never configure a service to run under the security context of a domain account unless it is unavoidable. Record any changes that you make in a secure location. Use different names and passwords on each server. • • Note: The built-in administrator account can be renamed through Group Policy. If the server is physically compromised. Therefore. and logon session on a network. However. However. Two of the most well known built-in accounts in Windows Server 2003 are Guest and Administrator. This policy setting is a part of the Security Options settings of a GPO. If the same account names and passwords are used on all domains and servers.

Clients that do not support this level of encryption will not be able to connect. Important: Data sent from the server to the client is not encrypted.microsoft. The High Level option that uses 128-bit encryption prevents an attacker from eavesdropping on Terminal Services sessions with a packet analyzer.11 Terminal Services Encryption Levels Encryption level High level Description Encrypts data that is sent from client to server and from server to client with strong 128-bit encryption. Some older versions of the Terminal Services client do not support this high level of encryption. Terminal Services Settings Table 5.com/fwlink/?LinkId=41311.134 Windows Server 2003 Security Guide service accounts. You can configure this policy setting in Windows Server 2003 at the following location within the Group Policy Object Editor: Computer Configuration\Administrative Templates\Windows Components\ Terminal Services\Encryption and Security The three available levels of encryption are described in the following table: Table 5.10 Recommended Terminal Services Settings Default Set client connection encryption level Legacy Client High Enterprise Client High Specialized Security – Limited Functionality High The Set client connection encryption level setting determines the level of encryption for Terminal Services client connections in your environment. Use this level when the Terminal Server runs in an environment that contains mixed or legacy clients. Encrypts data that is sent between the client and the server at the maximum key strength that is supported by the client. The Set client connection encryption level setting is configured to Enabled and High Level encryption is selected in the DCBP for the three security environments that are defined in this guide. If your network contains such clients. Client Compatible Low level . Encrypts data that is sent from the client to the server with 56-bit encryption. see The Services and Service Accounts Security Planning Guide at http://go. set the encryption level of the connection to send and receive data at the highest encryption level that is supported by the client. Use this level when the Terminal Server runs in an environment that contains 128-bit clients only (such as Remote Desktop Connection clients).

you should install the operating system on hardware that is similar to the hardware that is used in your deployment to help ensure as much compatibility as possible. However. You can use either an existing domain controller or create a reference computer and use the Dcpromo tool to make the computer a domain controller.12 Recommended Error Reporting Settings Setting Turn off Windows Error Reporting Legacy Client Enabled Enterprise Client Enabled Specialized Security – Limited Functionality Enabled This service helps Microsoft track and address errors. These policy settings are provided by the security templates for your chosen environment. If possible. The Turn off Windows Error Reporting setting controls whether the Error Reporting service transmits any data. Although error reports can potentially contain sensitive or even confidential data. This approach is necessary to ensure that the policy elements that are provided by the templates take precedence over those that are configured by SCW. Creating the Policy Using SCW To deploy the necessary security settings. be sure to skip the "Registry Settings" and “Audit Policy” sections. You can configure this service to generate reports for operating system errors. When you create your own policy. You can configure this policy setting in Windows Server 2003 at the following location within the Group Policy Object Editor: Computer Configuration\Administrative Templates\System\Internet Communications Management\Internet Communications settings Configure the Turn off Windows Error Reporting setting to Enabled in the DCBP for all three environments that are defined in this guide. Windows component errors. It is only available in Windows XP Professional and Windows Server 2003. which helps ensure that there are no legacy settings or software from previous configurations. However. the Microsoft privacy policy with regard to error reporting ensures that Microsoft will not use such data improperly. To create the Domain Controller Baseline Policy You must use a computer that is configured as a domain controller to create the Domain Controller Baseline Policy. The Error Reporting service can report such errors to Microsoft through the Internet or to an internal file share. which could be intercepted on the Internet and viewed by third parties. the data is transmitted in plaintext HTTP. most organizations do not want to add a domain controller to their production environment because it may violate their security policy.Chapter 5: The Domain Controller Baseline Policy 135 Error Reporting Table 5. you must use both the Security Configuration Wizard (SCW) and the security templates that are included with the downloadable version of this guide to create a domain controller baseline policy. The new installation is called a reference computer. If you use an existing domain UNCLASSIFIED . or program errors. You should use a new installation of the operating system to begin your configuration work.

such as the presence of unexpected services that are required by specific hardware devices. select Create new policy. or use Scwcmd to push the policy to a group of servers. 2. Install the Security Configuration Wizard component on the computer through Control Panel. Ensure that the detected administrative options are appropriate for your environment. Decide how to handle unspecified services in your environment. Two options are available to test the policy. Domain Controller. ensure that Mailbased Active Directory replication is selected. such as backup agents or antivirus software. click the Skip this section checkbox and then click Next. When you start to author your policies. Add/Remove Programs. because it is required for the proper operation of domain controllers. These policy settings are imported from the supplied INF file. The appropriate ports and applications identified earlier are configured as exceptions for Windows Firewall. Ideally. 5. 8. your test servers will have the same hardware and software configuration as your production servers.136 Windows Server 2003 Security Guide controller.inf). This approach will allow you to find and fix potential problems. These policy settings are imported from the supplied INF file. 11. This capability can be very useful when you make multiple changes to your policies during the test process. You should test this configuration before you deploy it to your production network because it may cause problems if your production servers run additional services that are not duplicated on your reference computer. Note: Ensure that Ports for System RPC Applications is selected. The native deployment method offers the advantage of the ability to easily roll back deployed policies from within SCW. make sure that you do not apply any setting to it with SCW or modify its configuration. Do not remove the File server role. or deploy the policies through a GPO. Launch the SCW GUI. you . 4. After you apply the configuration changes. click the Skip this section checkbox and then click Next. Ensure that the detected client features are appropriate for your environment. You can use SCW to push a policy to a single server at a time. are detected. 3. 9. 1. Add/Remove Windows Components. Ensure that the Skip this section checkbox is unchecked in the "Network Security" section. For extra security. In the "Registry Settings" section. Microsoft strongly recommends that you deploy it to your test environment. EC-Domain Controller. You can use the native SCW deployment facilities. 10. Include the appropriate security template (for example. The policy is tested to ensure that the application of this policy to the target servers will not adversely affect their critical functions. Save the policy with an appropriate name (for example. you should consider using the native SCW deployment facilities.xml). and point it to the reference computer. Ensure that the detected server roles are appropriate for your environment. Ensure that any additional services that are required by your baseline. 6. you may wish to configure this policy setting to Disable. In the "Audit Policy" section. 7. and then click Next. 12. Note: If your environment contains domain controllers in multiple sites. Test the Policy Using SCW After you create and save the policy.

The Domain Controller Baseline Policy (DCBP) that complements the Default Domain Controller Policy was linked to the Domain Controllers OU. see the Deployment Guide for the Security Configuration Wizard at http://technet2. and so on. After you verify that the GPO has replicated successfully. especially in environments with domain controllers in multiple sites. you can use Scwcmd as shown in the following procedure to convert the policies to GPOs.microsoft. For example: scwcmd transform /p:"C:\Windows\Security\msscw\Policies\Domain Controller. you should perform a final test to ensure that the GPO applies the desired policy settings.xml" /g:"Domain Controller Policy" Note: The information to be entered at the command prompt shows on more than one line here because of display limitations. To complete this procedure. The use of two GPOs to secure domain controllers allows the default environment to be preserved and simplifies troubleshooting. Most of the policy settings that were discussed were configured and applied through Group Policy. Windows Firewall must be active on the local computer for this procedure to complete successfully. At the command prompt. confirm that the appropriate settings were made and that functionality is not affected. The DCBP settings will enhance overall security for domain controllers in any environment. ensure that clients can request and obtain certificates. This information should all be entered on one line. To verify that Windows Firewall is active. When you are confident in your policy configurations.Chapter 5: The Domain Controller Baseline Policy 137 should begin to verify the core functionality of the computer. Note that if the SCW security policy file contains Windows Firewall settings.com/fwlink/?linkid=43450. Several of the settings that were discussed cannot be applied through Group Policy. Use the Group Policy Management Console to link the newly created GPO to the Domain Controllers OU. For example. if the server is configured as a certification authority (CA). download a certificate revocation list. type the following command: scwcmd transform /p:<PathToPolicy. For more details about how to test SCW policies. Remember that the newly created GPO can take some time to replicate to all domain controllers. 2. manual configuration details were provided. open Control Panel and then double-click Windows Firewall.com/WindowsServer/en/Library/5254f8cd-143e-4559-a2999c723b3669461033. Summary This chapter explained how to harden domain controller servers that run Windows Server 2003 with SP1 in each of the three environments that are defined in this guide. UNCLASSIFIED .microsoft. Convert and Deploy the Policy After you thoroughly test the policy. complete the following steps to convert it into a GPO and deploy it: 1. For these settings.mspx and the Security Configuration Wizard Documentation at http://go. and make sure to move it above the Default Domain Controllers Policy so that it receives the highest priority.xml> /g:<GPODisplayName> and then press ENTER.

For more information about IP spoofing. For more information about the Windows Time Service. see the Windows Time Service Technical Reference at http://technet2. see the PDF version of the article “Introduction to IP Spoofing” at www.microsoft. see the MSA EDC Prescriptive Architecture Guide page at www. For more information about restricting FRS replication traffic.com/WindowsServer/en/Library/a0fcd250-e5f7-41b3-b0e8240f8236e2101033. For more information about the changes to DNS in Windows Server 2003. For information about how to enable anonymous access to Active Directory.microsoft.com/?kbid=319553.microsoft. see Chapter 6 of the online version of "TCP/IP Core Networking Guide" in the Windows 2000 Server Resource Kit at www.mspx. see the "Windows 2000 DNS White Paper" at www.com/?kbid=224196.com/download/e/1/a/e1aba157-4983-480e-aae5347b4a38ea52/ChangestoDNS.com/?kbid=257988.mspx.pdf.giac.microsoft.com/technet/prodtechnol/windows2000serv/plan/ w2kdns2. For more information about restricting Active Directory.microsoft. see the Microsoft Knowledge Base article "Description of Dcpromo Permissions Choices" at http://support.microsoft.asp. see the “Changes to DNS in Windows Server 2003 Microsoft PowerPoint presentation” at http://download.com/resources/documentation/msa/edc/all/solution/ en-us/pak/pag/default.mspx. For information about Windows 2000 DNS.org/practical/gsec/Victor_Velasco_GSEC. • • • • • • • • . The following chapters of this guide focus on how to secure several other specific server roles. • For information about the Microsoft Systems Architecture: Enterprise Data Center prescriptive architecture guides. other server roles can be made more secure. see the Microsoft Knowledge Base article "How to restrict FRS replication traffic to a specific static port" at http://support. For more information about Windows 2000 DNS.ppt. see the Microsoft Knowledge Base article "Restricting Active Directory replication traffic to a specific port" at http://support.asp?url=/resources/documentation/Windows/2000/server/reskit/enus/w2rkbook/CoreNetwork.138 Windows Server 2003 Security Guide After the domain controllers are configured for security.microsoft.microsoft. More Information The following links provide additional information about topics that relate to hardening domain controllers that run Windows Server 2003 with SP1.com/resources/documentation/Windows/2000/server/reskit/enus/Default.

1 Infrastructure Server Security Templates and Policies Legacy Client LC-Infrastructure Server. see Chapter 4.UNCLASSIFIED Chapter 6: The Infrastructure Server Role Overview This chapter explains the policy settings you can use to harden infrastructure servers that run Microsoft® Windows Server™ 2003 with Service Pack 1 (SP1) in the three environments that are defined in this guide. “The Member Server Baseline Policy. Where possible. which is available at http://go. these policy settings are gathered in an incremental Group Policy object that will be applied to the Infrastructure Servers OU. This chapter only discusses those policy settings that vary from the MSBP. Most of the settings in this chapter are configured and applied through Group Policy.inf For information about policy settings in the MSBP. For more information about the MSBP. Threats and Countermeasures: Security Settings in Windows Server 2003 and Windows XP. which in turn is used to create a new GPO that is linked to the Infrastructure Servers OU in the appropriate environment." The MSBP settings turn on logging for the relevant security audit information on infrastructure servers.com/fwlink/?LinkId=15159. Some of the settings in this chapter cannot be applied through Group Policy. see Chapter 4.inf Specialized Security – Limited Functionality SSLF-Infrastructure Server.inf Enterprise Client EC-Infrastructure Server. "Windows Server 2003 Hardening Mechanisms" to help you create the OUs and Group Policies and then import the appropriate security template into each GPO. For the purposes of this guide. Table 6.microsoft. Detailed information about how to configure these settings manually is provided. "The Member Server Baseline Policy. Audit Policy Settings The Audit policy settings for infrastructure servers in the three environments that are defined in this guide are configured through the MSBP. see the companion guide. The following table shows the names of the infrastructure server security templates for the three environments that are defined in this guide. These templates provide the policy settings for the incremental Infrastructure Server template. A Group Policy object (GPO) that complements the Member Server Baseline Policy (MSBP) can be linked to the appropriate organizational units (OUs) that contain the infrastructure servers to provide additional security for the servers. Step-by-step instructions are provided in Chapter 2. an infrastructure server is one that provides DHCP services or Microsoft WINS functionality.” For information on all default policy settings. UNCLASSIFIED .

On the General tab of the Properties dialog box. (Spoofing makes a transmission appear to come from a user other than the user who performed the action. Security Options The security options settings for infrastructure servers in the three environments that are defined in this guide are configured through the MSBP. Complete the following steps to enable a more detailed log on the DHCP server: 1. Configure DHCP Logging By default. Select Properties. 2. You cannot configure the settings in this section through Group Policy. This section discusses some additional settings for consideration. "The Member Server Baseline Policy.) However. Right-click the DHCP server in the DHCP Administration Tool. The DHCP audit logs provide an additional tool to help locate the sources of internal attacks or inadvertent activities. It can be very helpful to have more than just ." The MSBP settings configure relevant security options settings uniformly on all infrastructure servers. the information in these logs is not foolproof. because both host names and media access control (MAC) addresses can be forged or spoofed. "The Member Server Baseline Policy. the benefits that this information provides outweigh any costs that are incurred when logging is enabled on a DHCP server. For more information about the MSBP. you need to configure them manually on all infrastructure servers. see Chapter 4. However.140 Windows Server 2003 Security Guide User Rights Assignment Settings The user rights assignments for infrastructure servers in the three environments that are defined in this guide are configured through the MSBP. see Chapter 4. "The Member Server Baseline Policy. click Enable DHCP Audit Logging." The MSBP settings configure user rights assignments uniformly on all infrastructure servers. the DHCP server creates a log file in the following location: %systemroot%\system32\dhcp\ DHCP client information is often difficult to locate in log files because the only information that is stored in most logs are computer names. For more information about the MSBP." Additional Security Settings The security settings that the MSBP applies significantly enhance the security of infrastructure servers. For more information about the MSBP. 3. see Chapter 4. the DHCP service only logs startup and shutdown events in the event log. When you complete these steps. Event Log Settings The event log settings for infrastructure servers in the three environments that are defined in this guide are configured through the MSBP. not IP addresses.

they could be prime targets for a DoS attack.com/resources/documentation/Windows/2000/server/ reskit/en-us/cnet/cncb_dhc_klom. the Server Operators and Authenticated Users groups have read permissions to the DHCP log files. but you can modify it to ensure sufficient free disk space is available for other applications on a server. By default. It would not be very difficult to write an attack tool script that requests all available addresses on a DHCP server.asp. Such a script would exhaust the pool of available IP addresses for subsequent.Chapter 6: The Infrastructure Server Role 141 an IP address and a computer name when you need to determine how a particular IP address was used on a network. Two of the most well-known built-in accounts in Windows Server 2003 are Guest and Administrator. Those clients will then lose their existing IP leases and the ability to access network resources. The Server Operators and Authenticated Users groups should be removed from the Access Control List (ACL) of the %systemroot%\system32\dhcp\ folder. Note: The 80/20 Rule described in the Windows 2000 Server Resource Kit also applies to DHCP services in Windows Server 2003 with SP1. legitimate requests from DHCP clients. Also. For information about how to modify this configuration. This default configuration is adequate for servers in most environments. CPU exhaustion or filling the request buffer of the DHCP listener—that exhausts the DHCP server's ability to respond to legitimate traffic could make it impossible for clients to request leases and renewals. which would cause the DHCP server to detect IP address conflicts for all addresses in its scope and to refuse to allocate DHCP leases. Protect Against DHCP Denial of Service Attacks Because DHCP servers are critical resources that provide client access to the network. To best preserve the integrity of the information logged by a DHCP server.com/WindowsServer/en/Library/f7802dce-3ff9-406a-b3e6c0c6b3ed49411033. These configuration suggestions help ensure that clients can continue to receive IP address configuration despite server failure. refer to the DhcpLogMinSpaceOnDisk page in the Windows Server 2003 Tech Center at http://technet2. If a DHCP server is attacked and unable to service DHCP requests. This type of problem can be avoided by proper design of DHCP services.microsoft. For more information about the 80/20 rule and the DHCP protocol. see the Dynamic Host Configuration Protocol page in the Windows 2000 Server Resource Kit at www. UNCLASSIFIED . Securing Well-Known Accounts Windows Server 2003 with SP1 has a number of built-in user accounts that cannot be deleted but can be renamed. It is also possible for a malicious user to configure all DHCP IP addresses on the network adapter of a computer they administer.mspx. You can configure DHCP servers in pairs and follow the best practice 80/20 rule—split DHCP server scopes between servers so that 80 percent of the addresses are distributed by one DHCP server and 20 percent by another—to help mitigate the impact of these types of attacks. a DoS attack—for example. DHCP clients will eventually be unable to acquire leases. However. the default configuration for the DHCP Audit Logging setting ensures that logging will stop if there is less than 20 MB of free disk space available on the server. the DHCP audit logs could fill the disk on which they are stored. it is recommended that access to these logs be limited to server administrators. as with all other network services.microsoft. In theory.

Therefore. The value of this configuration change has diminished over the past few years since the release of attack tools that specify the security identifier (SID) of the built-in Administrator account to determine its true name and then break into the server.com/fwlink/?LinkId=41311. you must use both the Security Configuration Wizard (SCW) and the security templates that are included with the downloadable version of this guide to create a server policy. you can configure the Accounts: Rename administrator account setting to rename administrator accounts in all three environments that are defined in this guide. and logon session on a network. be sure to skip the "Registry Settings" and “Audit Policy” sections. When you create your own policy. However. This policy setting was not implemented in any of the security templates that are provided with this guide because every organization should choose a unique name for this account. This approach is necessary to ensure that the policy elements that are provided by the templates take precedence over those that would be configured by SCW. For more information about how to secure service accounts. It is not possible to change the SID of this built-in account. You should use a new installation of the operating system to begin your configuration work. This configuration should not be changed. • • Note: The built-in Administrator account can be renamed through Group Policy. If the same account names and passwords are used on all domains and servers. Use different names and passwords on each server. Record any changes that you make in a secure location. you should rename the built-in Administrator account and alter its description to help prevent compromise of remote servers by attackers who try to use this well-known account. and change their passwords to long and complex values on every domain and server. an attacker who gains access to one member server will be able to gain access to all other servers with the same account name and password. domain account passwords could be easily obtained by dumping LSA secrets. To secure well-known accounts on infrastructure servers • • Rename the Administrator and Guest accounts. If the server is physically compromised. see The Services and Service Accounts Security Planning Guide at http://go. These policy settings are provided by the security templates for your chosen environment. the Guest account is disabled on member servers and domain controllers.microsoft. Securing Service Accounts Never configure a service to run under the security context of a domain account unless it is unavoidable. group. This policy setting is a part of the Security Options settings of a GPO. your operations groups can easily monitor attempted attacks against this Administrator account if you rename it with a unique name. which helps ensure that there are no legacy settings or software from previous configurations. Creating the Policy Using SCW To deploy the necessary security settings. If possible. Change the account descriptions to something other than the defaults to help prevent easy identification of the accounts. Many variations of malicious code use the built-in Administrator account in an initial attempt to compromise a server.142 Windows Server 2003 Security Guide By default. However. A SID is the value that uniquely identifies each user. computer account. you should install the operating system on hardware that is .

For extra security. Join the computer to the domain. Install the Security Configuration Wizard component on the computer through Control Panel.xml). 8. Test the Policy Using SCW After you create and save the policy. The appropriate ports and applications identified earlier are configured as exceptions for Windows Firewall. Infrastructure Server. Install and configure only the mandatory applications that will be on every server that shares this role. click the Skip this section checkbox and then click Next. 4. and antivirus or antispyware utilities. which will apply all security settings from parent OUs. 7. select Create new policy. Ensure that the detected administrative options are appropriate for your environment. click the Skip this section checkbox and then click Next.inf). Add/Remove Programs. Decide how to handle unspecified services in your environment. Ensure the Skip this section checkbox is unchecked in the "Network Security" section. such as backup agents or antivirus software. Ensure that any additional services that are required by your baseline. UNCLASSIFIED . In the "Audit Policy" section. The new installation is called a reference computer. In the "Registry Settings" section. 15. These policy settings are imported from the supplied INF file. such as the presence of unexpected services that are required by specific hardware devices. you can apply a second policy later in this process. 5. To enable the File server role for servers that require it. 10. Ensure that the detected server roles are appropriate for your environment—for example. 14. Create a new installation of Windows Server 2003 with SP1 on a new reference computer. During the server policy creation steps you will probably remove the File server role from the list of detected roles. EC-Infrastructure Server. you may wish to configure this policy setting to Disable. 2. 6. You should test this configuration before you deploy it to your production network because it may cause problems if your production servers run additional services that are not duplicated on your reference computer. 13. Add/Remove Windows Components. 11. software and management agents. Include the appropriate security template (for example. and point it to the reference computer. 9. To create the infrastructure server policy 1. Launch the SCW GUI. Ideally. 12. your test servers will have the same hardware and software configuration as your production servers. These policy settings are imported from the supplied INF file. This role is commonly configured on servers that do not require it and could be considered a security risk. Examples include role-specific services. and then click Next. 3.Chapter 6: The Infrastructure Server Role 143 similar to the hardware that is used in your deployment to help ensure as much compatibility as possible. Microsoft strongly recommends that you deploy it to your test environment. the DHCP server and WINS server roles. tape backup agents. are detected. Ensure that the detected client features are appropriate for your environment. Save the policy with an appropriate name (for example. This approach will allow you to find and fix potential problems.

you should begin to verify the core functionality of the computer. you can use Scwcmd as shown in the following procedure to convert the policies to GPOs. open Control Panel and then double-click Windows Firewall. download a certificate revocation list. type the following command: scwcmd transform /p:<PathToPolicy. This capability can be very useful when you make multiple changes to your policies during the test process.microsoft. For example.com/WindowsServer/en/Library/5254f8cd-143e-4559-a2999c723b3669461033. Windows Firewall must be active on the local computer for this procedure to complete successfully. you should consider using the native SCW deployment facilities. The native deployment method allows you to easily roll back deployed policies from within SCW. see the Deployment Guide for the Security Configuration Wizard at http://technet2. The policy is tested to ensure that the application of this policy to the target servers will not adversely affect their critical functions. Convert and Deploy the Policy After you thoroughly test the policy. Note that if the SCW security policy file contains Windows Firewall settings. 2. After you apply the configuration changes.microsoft. You should now perform a final test to ensure that the GPO applies the desired policy settings. confirm that the appropriate policy settings were made and that functionality is not affected. You can use the native SCW deployment facilities. For example: scwcmd transform /p:"C:\Windows\Security\msscw\Policies\Infrastructure.xml> /g:<GPODisplayName> and then press ENTER.144 Windows Server 2003 Security Guide Two options are available to test the policy. ensure that clients can request and obtain certificates. if the server is configured as a certification authority (CA). This information should all be entered on one line. complete the following steps to convert it into a GPO and deploy it: 1. At the command prompt.xml" /g:"Infrastructure Policy" Note: The information to be entered at the command prompt shows on more than one line here because of display limitations. You can use SCW to push a policy to a single server at a time. When you are confident in your policy configurations. and so on.mspx and the Security Configuration Wizard Documentation at http://go. or use Scwcmd to push the policy to a group of servers. Most of the settings for these roles are applied through the MSBP. To verify that Windows Firewall is active. When you start to author your policies.com/fwlink/?linkid=43450. or deploy the policies through a GPO. To complete this procedure. Use the Group Policy Management Console to link the newly created GPO to the appropriate OU. For more details about how to test SCW policies. Summary This chapter explained the policy settings that can be used for DHCP and WINS servers that run Windows Server 2003 with SP1 in the three environments that are defined in this guide. The primary goal of creating an Infrastructure Policy object for the DHCP and WINS servers is to .

For information about installing WINS in Windows Server 2003. see the Microsoft Knowledge Base article “Changes in Windows Server 2003 DHCP Logging” at http://support. Primarily.com/resources/documentation/Windows/2000/server/reskit/ en-us/cnet/cncb_dhc_klom.microsoft. • For information about how DHCP logging has changed in Windows Server 2003.com/technet/archive/windows2000serv/evaluate/featfunc/nt5wins.microsoft.Chapter 6: The Infrastructure Server Role 145 enable the necessary services for these roles to fully function and keep them well secured. see the Dynamic Host Configuration Protocol page at www.com/technet/prodtechnol/windowsserver2003/library/ ServerHelp/a29d0a59-8bdd-4a82-a980-b53bd72fcb0e. Although the MSBP provides a great level of security. • • • UNCLASSIFIED .microsoft. More Information The following links provide additional information about topics that relate to hardening infrastructure servers that run Windows Server 2003 with SP1. For more information about WINS. this chapter also discussed other considerations for the infrastructure server roles. see the “Install and Manage WINS Servers” page at www.com/?kbid=328891. these considerations included the generation of log files.microsoft.mspx. see the “Windows 2000 Server Windows Internet Naming Service (WINS) Overview” at www.asp.msp x. For more information about DHCP.

.

Table 7.inf Specialized Security – Limited Functionality SSLF-File Server. A Group Policy object (GPO) that complements the Member Server Baseline Policy (MSBP) can be linked to the appropriate organizational units (OUs) that contain the file servers to provide the required security settings for this server role. these policy settings are gathered in an incremental Group Policy object that will be applied to the File Servers OU.inf For information about policy settings in the MSBP.com/fwlink/?LinkId=15159.1 File Server Security Templates Legacy Client LC-File Server. it will be difficult for both users and administrators to access file servers if these protocols are disabled. "Windows Server 2003 Hardening Mechanisms" to help you create the OUs and Group Policies and then import the appropriate security template into each GPO. see the companion guide. This chapter only discusses those policy settings that vary from the MSBP. Most of the policy settings in this chapter are configured and applied through Group Policy. Detailed information about how to configure these policy settings manually is provided.inf Enterprise Client EC-File Server. “The Member Server Baseline Policy. The following table shows the names of the file server security templates for the three environments that are defined in this guide. Step-by-step instructions are provided in Chapter 2.UNCLASSIFIED Chapter 7: The File Server Role Overview It can be a challenge to harden file server computers that run Microsoft® Windows Server™ 2003 with Service Pack 1 (SP1). Audit Policy Settings The Audit policy settings for file servers in the three environments that are defined in this guide are configured through the MSBP. These templates provide the settings for the incremental File Server template. see UNCLASSIFIED . Threats and Countermeasures: Security Settings in Windows Server 2003 and Windows XP. These protocols can provide rich information to unauthenticated users.microsoft. see Chapter 4. Some of the policy settings in this chapter cannot be applied through Group Policy. For more information about the MSBP. which in turn is used to create a new GPO that is linked to the File Servers OU in the appropriate environment. and they are often disabled in high security Windows environments. because the most essential services that these servers provide are the ones that require the Server Message Block (SMB) and Common Internet File System (CIFS) protocols.” For information on all default policy settings. However. Where possible. which is available at http://go.

see Chapter 4. "The Member Server Baseline Policy. group.148 Windows Server 2003 Security Guide Chapter 4. However. the settings in this section cannot be implemented through Group Policy and must therefore be performed manually on all file servers. The value of this configuration change has diminished over the past few years since the release of attack tools that specify the security identifier (SID) of the built-in Administrator account to determine its true name and then break into the server. Security Options The security options settings for file servers in the three environments that are defined in this guide are configured through the MSBP. Securing Well-Known Accounts Windows Server 2003 with SP1 has a number of built-in user accounts that cannot be deleted but can be renamed. see Chapter 4." Additional Security Settings Although the security settings that the MSBP applies significantly enhance the security of file servers." The MSBP settings activate security audit information logging on all file servers. and logon session on a network. For more information about the MSBP." The MSBP settings uniformly configure all relevant security option settings on all file servers." The MSBP settings uniformly configure all appropriate user rights assignments on all file servers. you should rename the built-in Administrator account and alter its description to help prevent compromise of remote servers by attackers who try to use this well-known account. Event Log Settings The event log settings for file servers in the three environments that are defined in this guide are configured through the MSBP. "The Member Server Baseline Policy. A SID is the value that uniquely identifies each user. computer account. User Rights Assignments The user rights assignment settings for file servers in the three environments that are defined in this guide are configured through the MSBP. Two of the most well-known built-in accounts in Windows Server 2003 are Guest and Administrator. the Guest account is disabled on member servers and domain controllers. Therefore. For more information about the MSBP. Many variations of malicious code use the built-in Administrator account in an initial attempt to compromise a server. see Chapter 4. your operations groups can easily monitor attempted attacks against this Administrator account if you rename it with a unique name. It is not possible to change the SID of this built-in account. "The Member Server Baseline Policy. . this section discusses some additional considerations. This configuration should not be changed. "The Member Server Baseline Policy. For more information about the MSBP. However. By default.

and then change their passwords to long and complex values on every domain and server. Add/Remove Windows Components. When you create your own policy. This approach is necessary to ensure that the policy elements that are provided by the templates take precedence over those that would be configured by SCW. see The Services and Service Accounts Security Planning Guide at http://go. Creating the Policy Using SCW To deploy the necessary security settings. 3. Record any changes that you make in a secure location. If the same account names and passwords are used on all domains and servers. which will apply all security settings from parent OUs. an attacker who gains access to one member server will be able to gain access to all others.microsoft. Securing Service Accounts Never configure a service to run under the security context of a domain account unless it is unavoidable. and antivirus or antispyware utilities. For more information about how to secure service accounts. Use different names and passwords on each server. If possible. If the server is physically compromised. The new installation is called a reference computer. Join the computer to the domain. • • Note: You can rename the built-in Administrator account through Group Policy. domain account passwords could be easily obtained by dumping LSA secrets. These settings are provided by the security templates for your chosen environment. you must use both the Security Configuration Wizard (SCW) and the security templates that are included with the downloadable version of this guide to create a server policy. Examples include role-specific services. You should use a new installation of the operating system to begin your configuration work. software and management agents. Install the Security Configuration Wizard component on the computer through Control Panel. be sure to skip the "Registry Settings" and “Audit Policy” sections. However. Install and configure only the mandatory applications that will be on every server that shares this role.Chapter 7: The File Server Role 149 To secure well-known accounts on file servers • • Rename the Administrator and Guest accounts. Add/Remove Programs. tape backup agents. 2. Create a new installation of Windows Server 2003 with SP1 on a new reference computer.com/fwlink/?LinkId=41311. This setting was not implemented in any of the security templates that are provided with this guide because every organization should choose a unique name for this account. UNCLASSIFIED . you can configure the Accounts: Rename administrator account setting to rename administrator accounts in all three environments that are defined in this guide. This policy setting is a part of the Security Options settings of a GPO. Change the account descriptions to something other than the defaults to help prevent easy identification of the accounts. which helps ensure that there are no legacy settings or software from previous configurations. you should install the operating system on hardware that is similar to the hardware that is used in your deployment to help ensure as much compatibility as possible. To create the file server policy 1. 4.

if the server is configured as a certification authority (CA). You should test this configuration before you deploy it to your production network because it may cause problems if your production servers run additional services that are not duplicated on your reference computer. ensure that clients can request and obtain certificates. In the "Registry Settings" section. you should consider using the native SCW deployment facilities. EC-File Server. the File server role. 8. such as the presence of unexpected services that are required by specific hardware devices. download a certificate revocation list. Two options are available to test the policy. Ensure that the detected administrative options are appropriate for your environment. For example. such as backup agents or antivirus software. These policy settings are imported from the supplied INF file. 9. 6. Ensure that any additional services that are required by your baseline. 12. You can use the native SCW deployment facilities. select Create new policy. click the Skip this section checkbox and then click Next. you should begin to verify the core functionality of the computer. your test servers will have the same hardware and software configuration as your production servers. The policy is tested to ensure that the application of this policy to the target servers will not adversely affect their critical functions. 11. Microsoft strongly recommends that you deploy it to your test environment. When you start to author your policies. Ideally. . Ensure that the detected client features are appropriate for your environment. or use Scwcmd to push the policy to a group of servers. 14. When you are confident in your policy configurations. and so on. The native deployment method allows you to easily roll back deployed policies from within SCW. After you apply the configuration changes. 7. The appropriate ports and applications identified earlier are configured as exceptions for Windows Firewall. Test the Policy Using SCW After you create and save the policy. Ensure that the detected server roles are appropriate for your environment—for example. 15. Include the appropriate security template (for example. These policy settings are imported from the supplied INF file. You can use the SCW GUI to push a policy to a single server at a time.xml). This approach will allow you to find and fix potential problems. Save the policy with an appropriate name (for example. are detected. Ensure the Skip this section checkbox is unchecked in the "Network Security" section. File Server. 10. you can use Scwcmd as shown in the following procedure to convert the policies to GPOs. Decide how to handle unspecified services in your environment. and then click Next. This capability can be very useful when you make multiple changes to your policies during the test process. For extra security.150 Windows Server 2003 Security Guide 5.inf). In the "Audit Policy" section. you may wish to configure this policy setting to Disable. click the Skip this section checkbox and then click Next. and point it to the reference computer. Launch the SCW GUI. or deploy the policies through a GPO. 13.

mspx. Some policy settings cannot be applied through Group Policy. Most of the policy settings are applied through a Group Policy object (GPO) that was designed to complement the MSBP.xml" /g:"File Server Policy" Note: The information to be entered at the command prompt shows on more than one line here because of display limitations. Use the Group Policy Management Console to link the newly created GPO to the appropriate OU. To verify that Windows Firewall is active. • For more information about file servers. Summary This chapter explained the policy settings that can be used to configure file servers that run Windows Server 2003 with SP1 in the three environments that are defined in this guide. • UNCLASSIFIED .com/WindowsServer/en/Library/5254f8cd-143e-4559-a2999c723b3669461033.microsoft.microsoft.microsoft. see the Deployment Guide for the Security Configuration Wizard at http://technet2. More Information The following links provide additional information about topics that relate to hardening file servers that run Windows Server 2003 with SP1. open Control Panel and then double-click Windows Firewall. Convert and Deploy the Policy After you thoroughly test the policy.com/fwlink/?linkid=43450.com/windowsserver2003/technologies/storage/dfs/default. For these policy settings.Chapter 7: The File Server Role 151 For more information about how to test SCW policies. see "Technical Overview of Windows Server 2003 File Services" at www. You should now perform a final test to ensure that the GPO applies the desired settings. Note that if the SCW security policy file contains Windows Firewall settings. type the following command: scwcmd transform /p:<PathToPolicy.mspx. For more information about DFS and FRS. confirm that the appropriate settings were made and that functionality is not affected.microsoft. To complete this procedure. manual configuration details were provided. complete the following steps to convert it into a GPO and deploy it: 1. This information should all be entered on one line. At the command prompt.xml> /g:<GPODisplayName> and then press ENTER. For example: scwcmd transform /p:"C:\Windows\Security\msscw\Policies\File Server. Windows Firewall must be active on the local computer for this procedure to complete successfully. GPOs can be linked to the appropriate organizational units (OUs) that contain the file servers to provide additional security.com/windowsserver2003/techinfo/overview/file. 2. see the Distributed File System Technology Center at www.mspx and the Security Configuration Wizard Documentation at http://go.

.

inf Enterprise Client EC-Print Server. “The Member Server Baseline Policy. A Group Policy object (GPO) that complements the Member Server Baseline Policy (MSBP) can be linked to the appropriate organizational units (OUs) that contain the print servers to provide the required security settings for this server role. Some of the settings in this chapter cannot be applied through Group Policy. These protocols are often disabled on print servers in high-security Windows environments. The following table shows the names of the print server security templates for the three environments that are defined in this guide. UNCLASSIFIED .inf For information about settings in the MSBP. Most of the settings in this chapter are configured and applied through Group Policy. Table 8.1 Print Server Security Templates for All Three Environments Legacy Client LC-Print Server. Step-by-step instructions are provided in Chapter 2. see Chapter 4. Threats and Countermeasures: Security Settings in Windows Server 2003 and Windows XP. it will be difficult for both administrators and users to access print servers if these protocols are disabled in your environment.inf security template can only be accessed reliably by client computers that are secured with compatible settings. both of which can provide rich information to unauthenticated users.inf Specialized Security – Limited Functionality SSLF-Print Server. which in turn is used to create a new GPO that is linked to the Print Servers OU in the appropriate environment. This chapter only discusses those policy settings that vary from the MSBP. However. The essential services that these servers provide are ones that require the Server Message Block (SMB) and Common Internet File System (CIFS) protocols. Note: Print servers that are secured with the SSLF-Print Server. "Windows Server 2003 Hardening Mechanisms" to help you create the OUs and Group Policies and then import the appropriate security template into each GPO.” For information on all default settings. Detailed information about how to configure these settings manually is provided.com/fwlink/?LinkId=15159.microsoft. These templates provide the policy settings for the incremental Print Server template.UNCLASSIFIED Chapter 8: The Print Server Role Overview This chapter focuses on how to harden print servers that run Microsoft® Windows Server™ 2003 with SP1. See the Windows XP Security Guide for information about how to secure client computers with SSLF-compatible settings. which is available at http://go. Where possible. these settings are gathered in an incremental Group Policy template that will be applied to the Print Servers OU. see the companion guide. which can be a challenge.

" The MSBP settings uniformly configure user rights assignments on all print servers. the SMB protocol supports SMB packet digital signing. the MSBP enables this setting for servers in the SSLF environment. For more information about MSBP. The Microsoft network server: Digitally sign communications (always) setting is configured to Disabled for print servers in all three environments that are defined in this guide. For more information about the MSBP. Although the Microsoft network server: Digitally sign communications (always) setting is disabled by default." Differences between the MSBP and the Print Server Group Policy are described in the following section. User Rights Assignments The user rights assignment settings for print servers in the three environments that are defined in this guide are configured through the MSBP. For more information about the MSBP. which allows users to print but not view the print queue. The SMB protocol provides the basis for Microsoft file and print sharing and many other network operations. see Chapter 4. Security Options Most security option settings for print servers in the three environments that are defined in this guide are configured through the MSBP. see Chapter 4. This policy setting determines whether SMB packet signing must be negotiated before further communication with an SMB client is permitted. "The Member Server Baseline Policy. such as remote Windows administration. .2 Recommended Settings for Digitally Signing Communications (Always) Setting Legacy Client Enterprise Client Disabled Specialized Security – Limited Functionality Disabled Microsoft network server: Disabled Digitally sign communications (always) This policy setting determines whether packet signing is required by the SMB server component. "The Member Server Baseline Policy." The MSBP settings activate logging for security audit information on all print servers.154 Windows Server 2003 Security Guide Audit Policy Settings The Audit policy settings for print servers in the three environments that are defined in this guide are configured through the MSBP. see Chapter 4. Microsoft network server: Digitally sign communications (always) Table 8. Users who attempt to view the print queue will see an access denied message. "The Member Server Baseline Policy. To prevent man-in-the-middle attacks that modify SMB packets in transit.

This configuration should not be changed. However. Securing Well-Known Accounts Microsoft Windows Server 2003 with SP1 has a number of built-in user accounts that cannot be deleted but can be renamed. To secure well known accounts on print servers • • Rename the Administrator and Guest accounts.Chapter 8: The Print Server Role 155 Event Log Settings The event log settings for print servers in the three environments that are defined in this guide are configured through the MSBP. and then change their passwords to long and complex values on every domain and server. there are a few additional settings that you should consider. By default. an attacker who gains access to one member server will be able to gain access to all others. The value of this configuration change has diminished over the past few years since the release of attack tools that specify the security identifier (SID) of the built-in Administrator account to determine its true name and then break into the server. A SID is the value that uniquely identifies each user. see Chapter 4. Securing Service Accounts Never configure a service to run under the security context of a domain account unless it is unavoidable. This setting was not implemented in any of the security templates that are provided with this guide because every organization should choose a unique name for this account. It is not possible to change the SID of this built-in account. However. This policy setting is a part of the Security Options settings of a GPO. Many variations of malicious code use the built-in Administrator account in an initial attempt to compromise a server. Two of the most well-known built-in accounts in Windows Server 2003 are Guest and Administrator. Change the account descriptions to something other than the defaults to help prevent easy identification of the accounts. • • Note: You can rename the built-in Administrator account through Group Policy. Therefore. computer account. you should rename the built-in Administrator account and alter its description to help prevent compromise of remote servers by attackers who try to use this well-known account. the Guest account is disabled on member servers and domain controllers. Record any changes that you make in a secure location. If the server is physically compromised." Additional Security Settings Although the security settings applied through the MSBP significantly enhance the security of print servers. Use different names and passwords on each server. group. The settings in this section cannot be applied through Group Policy and must therefore be performed manually on all print servers. If the same account names and passwords are used on all domains and servers. your operations groups can easily monitor attempted attacks against this Administrator account if you rename it with a unique name. "The Member Server Baseline Policy. For more information about the MSBP. and logon session on a network. the Accounts: Rename administrator account setting can be configured to rename administrator accounts in all three environments that are defined in this guide. domain account passwords could UNCLASSIFIED .

click the Skip this section checkbox and then click Next. tape backup agents. you may wish to configure this policy setting to Disable. You should use a new installation of the operating system to begin your configuration work. Launch the SCW GUI. Ensure that the detected server roles are appropriate for your environment. In the "Audit Policy" section. This approach is necessary to ensure that the policy elements that are provided by the templates take precedence over those that would be configured by SCW. see The Services and Service Accounts Security Planning Guide at http://go. click the Skip this section checkbox and then click Next. 8.microsoft. and point it to the reference computer. Join the computer to the domain. Add/Remove Programs. For more information about how to secure service accounts. Create a new installation of Windows Server 2003 with SP1 on a new reference computer. For extra security. are detected. you should use hardware that is similar to the hardware that is used in your deployment to help ensure as much compatibility as possible.156 Windows Server 2003 Security Guide be easily obtained by dumping LSA secrets.com/fwlink/?LinkId=41311. Install and configure only the mandatory applications that will be on every server that shares this role. In the "Registry Settings" section. software and management agents. which will apply all security settings from parent OUs. To create the print server policy 1. . Examples include role-specific services. such as backup agents or antivirus software. These policy settings are imported from the supplied INF file. select Create new policy. Add/Remove Windows Components. you must use both the Security Configuration Wizard (SCW) and the security templates that are included with the downloadable version of this guide to create a server policy. 10. 5. The new installation is called a reference computer. and then click Next. 13. The appropriate ports and applications identified earlier are configured as exceptions for Windows Firewall. which helps ensure that there are no legacy settings or software from previous configurations. 2. 7. Ensure that the detected administrative options are appropriate for your environment. Creating the Policy Using SCW To deploy the necessary security settings. When you create your own policy. 12. and antivirus or antispyware utilities. These settings are provided by the security templates for your chosen environment. 4. 6. for example the Print server role. 3. You should test this configuration before you deploy it to your production network because it may cause problems if your production servers run additional services that are not duplicated on your reference computer. 9. These policy settings are imported from the supplied INF file. Ensure the Skip this section checkbox is unchecked in the "Network Security" section. be sure to skip the "Registry Settings" and “Audit Policy” sections. 11. If possible. Install the Security Configuration Wizard component on the computer through Control Panel. Ensure that the detected client features are appropriate for your environment. Decide how to handle unspecified services in your environment. Ensure that any additional services that are required by your baseline.

if the server is configured as a certification authority (CA).xml> /g:<GPODisplayName> and then press ENTER. This approach will allow you to find and fix potential problems. To verify that Windows Firewall is active.microsoft. This capability can be very useful when you make multiple changes to your policies during the test process. ensure that clients can request and obtain certificates.com/WindowsServer/en/Library/5254f8cd-143e-4559-a2999c723b3669461033. Microsoft strongly recommends that you deploy it to your test environment. At the command prompt. EC-Print Server. you should consider using the native SCW deployment facilities. 15. This information should all be entered on one line. Include the appropriate security template (for example.com/fwlink/?linkid=43450. For more details about how to test SCW policies. download a certificate revocation list. UNCLASSIFIED . and so on. type the following command: scwcmd transform /p:<PathToPolicy. Save the policy with an appropriate name (for example. After you apply the configuration changes. When you are confident in your policy configurations. The native deployment method offers the advantage of the ability to easily roll back deployed policies from within SCW. Use the Group Policy Management Console to link the newly created GPO to the appropriate OU. Convert and Deploy the Policy After you thoroughly test the policy.inf). For example: scwcmd transform /p:"C:\Windows\Security\msscw\Policies\Print Server. Two options are available to test the policy. Note that if the SCW security policy file contains Windows Firewall settings.microsoft. You can use the native SCW deployment facilities. you should begin to verify the core functionality of the computer.xml" /g:"Print Server Policy" Note: The information to be entered at the command prompt shows on more than one line here because of display limitations.mspx and the Security Configuration Wizard Documentation at http://go. For example. You can use SCW to push a policy to a single server at a time.Chapter 8: The Print Server Role 157 14. your test servers will have the same hardware and software configuration as your production servers. When you start to author your policies. Windows Firewall must be active on the local computer for this procedure to complete successfully. see the Deployment Guide for the Security Configuration Wizard at http://technet2. such as the presence of unexpected services that are required by specific hardware devices. complete the following steps to convert it into a GPO and deploy it: 1. you can use Scwcmd as shown in the following procedure to convert the policies to GPOs. Print Server.xml). 2. or use Scwcmd to push the policy to a group of servers. or deploy the policies through a GPO. Ideally. open Control Panel and then double-click Windows Firewall. The policy is tested to ensure that the application of this policy to the target servers will not adversely affect their critical functions. Test the Policy Using SCW After you create and save the policy.

Some policy settings that were discussed cannot be applied through Group Policy. GPOs can be linked to the appropriate organizational units (OUs) that contain the print servers to provide additional security. For more information about print servers. see "What's New in File and Print Services" at www." which is available for download at www. see the "Technical Overview of Windows Server 2003 Print Services. • . Summary This chapter explained the policy settings that can be used for print servers that run Windows Server 2003 with SP1 for the three environments that are defined in this guide.com/windowsserver2003/evaluation/overview/technologies/ fileandprint. More Information The following links provide additional information about topics that relate to hardening print servers that run Windows Server 2003 with SP1.microsoft.158 Windows Server 2003 Security Guide You should now perform a final test to ensure that the GPO applies the desired settings.microsoft.mspx. To complete this procedure.mspx. • For an overview of print servers. Most of the policy settings are applied through a Group Policy object (GPO) that was designed to complement the MSBP.com/windowsserver2003/techinfo/overview/print. confirm that the appropriate settings were made and that functionality is not affected. For these policy settings. manual configuration details were provided.

UNCLASSIFIED . You can use this template to create a new GPO that is linked to the Web Servers OU in the appropriate environment. Some of the settings in this chapter cannot be applied through Group Policy. and configuration of application pools. These features and services can be enabled through the Web Service Extensions node in Internet Information Services Manager (IIS Manager). To provide comprehensive security for Web servers and applications within your organization's intranet. performance. Server Side Includes (SSI). "locked" mode. Because they could be exploited by potential intruders.UNCLASSIFIED Chapter 9: The Web Server Role Overview This chapter provides guidance that will help you harden the Web servers in your environment that run Microsoft® Windows Server™ 2003 with SP1. features such as Active Server Pages (ASP). You should consider implementation of the settings that are described in the following sections of this chapter to enhance the security of IIS Web servers that host HTML content within your organization’s intranet. You should also protect these Web sites and applications from the Web sites and applications that run on the other IIS servers within your organization’s intranet. When it is installed. ASP. directory management. Most of the settings in this chapter are configured and applied through Group Policy. these settings are gathered in an incremental Group Policy template that will be applied to the Web Servers OU. and reliability features. only those policy settings that vary from the MSBP are discussed. To improve the usability of this chapter. Chapter 2. and Microsoft FrontPage® Server Extensions will not work until an administrator enables them. IIS Manager has a graphical user interface (GUI) that is designed to facilitate administration of IIS. in its default state IIS will only serve static content. These Web server security templates provide the policy settings for the incremental Web Server template. It includes resources for file management. the default configuration for members of the Windows Server 2003 family does not install IIS. Where possible. IIS is configured in a highly secure. you should also implement security monitoring. "Windows Server 2003 Hardening Mechanisms. as well as security." provides step-by-step instructions to help you create the OUs and Group Policies and then import the appropriate security template into each GPO. An incremental GPO that complements the MSBP is linked to the appropriate OUs and provides additional security for the Web servers. Web Distributed Authoring and Versioning (WebDAV) publishing. The following table shows the names of the Web server security templates for the three environments that are defined in this guide.NET. For example. To help secure your servers. Detailed information about how to configure these settings manually is provided. Microsoft recommends that you protect each Microsoft Internet Information Services (IIS) server as well as each Web site and application that run on these servers from client computers that can connect to them. To help protect against malicious users and attackers. and response procedures to watch for new threats. detection.

create a new GPO.inf Enterprise Client EC-Web Server. FTP. • • • • Access this computer from the network Allow log on locally Bypass traverse checking Log on as a batch job The IIS features that you need to enable will determine whether you will need to also reconfigure other user rights assignment settings to Not defined. if you need to allow anonymous access in an SSLF environment you will need to make some important changes to the OU structure and GPOs that are described in Chapters 2.0)" at www. You can move the IIS servers to the new OU. Anonymous Access and the SSLF Settings Four of the user rights that are explicitly defined in the SSLF scenario in the MSBP are designed to break anonymous access to IIS Web sites.com/fwlink/?LinkId=15159.com/technet/prodtechnol/WindowsServer2003/Library/IIS/ 3648346f-e4f5-474b-86c7-5a86e85fa1ff. which is available at http://go. You will need to create a new OU that is not part of the hierarchy below the Member Servers OU. If you plan to use additional features in IIS you may need to need to adjust some of the security settings.mspx explains the accounts that different features of IIS use and the privileges that are required by each. If you install additional services such as SMTP. In other words.160 Windows Server 2003 Security Guide Table 9.mspx. However. The online article "IIS and Built-in Accounts (IIS 6. and 4 of this guide.com/technet/prodtechnol/WindowsServer2003/ Library/IIS/848968f3-baa0-46f9-b1e6-ef81dd09b015.microsoft.microsoft. and then reconfigure user rights assignments so that they can be controlled by local policy rather than the domain–based GPO.inf Specialized Security – Limited Functionality SSLF-Web Server. or NNTP. . you should configure the following user rights settings to Not defined in this new GPO. or it could be a child OU of some other OU hierarchy.inf For information about all default setting configurations. To implement more secure settings on Web servers that host complex applications. you should not assign user rights in a GPO that will affect the IIS servers that will be placed in this new OU. This guide illustrates how to secure IIS with minimal features installed and enabled. you may find it useful to review the complete IIS 6. However. see the companion guide. you will need to adjust the provided templates and policies. 3. apply the MSBP settings to it.microsoft.0 Documentation at www.1 IIS Server Security Templates Legacy Client LC-Web Server. This OU could be linked directly to the domain root. Threats and Countermeasures: Security Settings in Windows Server 2003 and Windows XP.

such as the services that are required to provide FTP. The settings in the following sections cannot be implemented through Group Policy and must therefore be performed manually on all IIS servers. User Rights Assignments The user rights assignment settings for IIS servers in the three environments that are defined in this guide are configured through the MSBP. Security Options The security option settings for IIS servers in the three environments that are defined in this guide are configured through the MSBP." The MSBP settings ensure that all the relevant security audit information is logged on all IIS servers." The MSBP settings ensure that all the relevant security audit information is logged on all IIS servers. you should be careful to minimize the attack surface of each IIS server in your environment. each additional IIS feature must be individually enabled. see Chapter 4. Additional Security Settings When IIS is installed on a computer that runs Windows Server 2003 with SP1. "The Member Server Baseline Policy. and SMTP support. there are a few additional settings that you should consider." The MSBP settings ensure that all the relevant security options are uniformly configured on all IIS servers. see Chapter 4. see Chapter 4.Chapter 9: The Web Server Role 161 Audit Policy Settings The Audit policy settings for IIS servers in the three environments that are defined in this guide are configured through the MSBP. its default setting only allows transmission of static Web content." The MSBP settings ensure that the appropriate event log settings are uniformly configured on all IIS servers in an organization. "The Member Server Baseline Policy. then the default IIS configuration is sufficient to minimize the attack surface of the IIS servers. Installing Only Necessary IIS Components IIS 6. NNTP. If the Web sites in your organization are comprised of static content and do not require any other IIS components. "The Member Server Baseline Policy. "The Member Server Baseline Policy. IIS components and services are installed and enabled with the Windows UNCLASSIFIED . When Web sites and applications contain dynamic content or require one or more additional IIS components. Event Log Settings The event log settings for IIS servers in the three environments that are defined in this guide are configured through the MSBP. For more information about the MSBP. However. For more information about the MSBP.0 includes other components and services in addition to the World Wide Web Publishing Service. However. see Chapter 4. For more information about the MSBP. The security settings that are applied through the MSBP provide a great deal of enhanced security for IIS servers. For more information about the MSBP.

6. and then Details. 3. in the Subcomponents of Internet Information Services (IIS) list. select the check box next to the component that you want to install. click Internet Information Services (IIS). clear the check box next to the component that you want to remove. do either of the following: • • To add optional components. you will need to enable all IIS components and services that are required by your Web sites and applications. After you install IIS. and then Details. To install Internet Information Services (IIS) 6.1 Application Server dialog box with list of subcomponents . and then Finish. click Application Server. double-click Add or Remove Programs. Click OK until you return to the Windows Component Wizard. In the Application Server dialog box. In the Internet Information Services (IIS) dialog box. To remove optional components. under Subcomponents of Application Server. In Control Panel. Click the Add/Remove Windows Components button to start the Windows Components Wizard. Click Next. The following illustrations and tables show the location and suggested settings for IIS components. The subcomponents in the Application Server dialog box are shown in the following figure: Figure 9. 7. 5.0 1. 4. You should only enable essential IIS components and services that are required by Web sites and applications. 2.162 Windows Server 2003 Security Guide Components Wizard Application Server that can be launched through Add or Remove Programs in Control Panel. In the Components list. the attack surface of an IIS server increases. If you enable unnecessary components and services.

2 Recommended Application Server Subcomponents Settings Component name in UI Setting Setting logic Provides a Microsoft Management Console (MMC) snap-in that you can use to administer all the Web Application Server components. Table 9.NET applications. Allows an IIS server to host COM+ components for distributed applications. BITS server extension. Provides support for ASP. Note: If this component is not enabled. Allows an IIS server to host applications that participate in network transactions through Distributed Transaction Coordinator (DTC). Disable this component unless the applications that run on the IIS server require it. Enable this component when an IIS server runs ASP.NET Disabled Enable network COM+ access Enabled Enable network DTC access Disabled Internet Information Services (IIS) Enabled UNCLASSIFIED . then all subcomponents are disabled. This component is not required on a dedicated IIS server because IIS Server Manager can be used.Chapter 9: The Web Server Role 163 The following table briefly describes the Application Server subcomponents and provides recommendations for when to enable them. Required for FTP. Message Queuing Disabled Microsoft Message Queuing (MSMQ) Provides a message routing. World Wide Web Service. storage. Provides basic Web and FTP services. and forwarding middleware layer for enterprise Web applications. and IIS Manager among others. This component is required for dedicated IIS servers. Application Server Console Disabled ASP.NET applications.

Note that Windows Update. and Automatic Updates do not require this component to run.2 IIS dialog box with list of subcomponents The following table briefly describes the IIS subcomponents and provides recommendations for when to enable them.164 Windows Server 2003 Security Guide The subcomponents in the Internet Information Services (IIS) dialog box are shown in the following figure: Figure 9.3 Recommended IIS Subcomponents Settings Component name in UI Background Intelligent Transfer Service (BITS) server extension Setting Disabled Setting logic The BITS server extension allows BITS on the clients to upload files to this server in the background. They require the BITS client component. Microsoft Update. Common Files File Transfer Protocol (FTP) Service FrontPage 2002 Server Extensions Enabled Disabled Disabled . This service is not required for dedicated IIS servers. Allows IIS servers to provide FTP services. SUS. IIS requires these files and they must always be enabled on IIS servers. Table 9. Disable on dedicated IIS servers when no Web sites use FrontPage extensions. WSUS. If you have an application on the clients that uses BITS to upload files to this server. leave it disabled. then enable and configure the BITS server extension. Provides FrontPage support to administer and publish Web sites. which is not part of IIS. otherwise.

queries. Distributes. retrieves. NNTP Service Disabled SMTP Service Disabled World Wide Web Service Enabled The subcomponents in the Message Queuing dialog box are shown in the following figure: Figure 9. This component is not required on dedicated IIS servers.3 Message Queuing dialog box with list of subcomponents UNCLASSIFIED . Provides Web services. static. This component is not required on dedicated IIS servers. This component is not required on dedicated IIS servers. Provides Web-based printer management and allows printers to be shared over HTTP.Chapter 9: The Web Server Role 165 Component name in UI Internet Information Services Manager Internet Printing Setting Enabled Disabled Setting logic Administrative interface for IIS. This component is required on dedicated IIS servers. Supports the transfer of electronic mail. and posts Usenet news articles on the Internet. and dynamic content to clients.

166 Windows Server 2003 Security Guide The following table briefly describes the Message Queuing subcomponents and provides recommendations for when to enable them. This component is required when an IIS server's Web sites and applications use MSMQ. Provides the ability to send and receive messages over the HTTP transport. Common Disabled Downlevel Client Support Disabled MSMQ HTTP Support Disabled Routing support Disabled Triggers Disabled . This component is required when Web sites and applications that run on IIS servers use MSMQ. Provides access to Active Directory and site recognition for downstream clients.4 Recommended Message Queuing Subcomponents Settings Component name in UI Active Directory Integration Installation Setting logic option Disabled Provides integration with the Active Directory® directory service whenever an IIS server belongs to a domain. Provides store-and-forward messaging as well as efficient routing services for MSMQ. Associates the arrival of incoming messages at a queue with functionality in a COM component or a stand-alone executable program. Table 9. This component is required when Web sites and applications that run on IIS servers use MSMQ. This component is required when an IIS server's Web sites and applications use MSMQ. This component is required when Web sites and applications that run on IIS servers use Microsoft Message Queuing (MSMQ).

SUS. WSUS. otherwise leave it disabled. Microsoft Update.5 Recommended BITS Server Extensions Subcomponents Settings Component name in UI BITS management console snap-in Installation Setting logic option Disabled Installs an MMC snap-in to administer BITS. Enable this component when the BITS server extension for Internet Server Application Programming Interface (ISAPI) is enabled. which is not part of IIS. Installs the BITS ISAPI so that an IIS server can transfer data using BITS.4 BITS Server Extensions with list of subcomponents The following table briefly describes the BITS Server Extensions subcomponents and provides recommendations for when to enable them. If you have an application on the clients that uses BITS to upload files to this server. then enable and configure the BITS server extension. and Automatic Updates do not require this component to run. Note that Windows Update. BITS server extension ISAPI Disabled UNCLASSIFIED . Table 9.Chapter 9: The Web Server Role 167 The subcomponents in the Background Intelligent Transfer Service (BITS) Server Extensions dialog box are shown in the following figure: Figure 9. BITS Server Extensions allow BITS on the clients to upload files to this server in the background. They require the BITS client component.

or disable it by using the Web service extensions. see the following “Enabling Only Essential Web Service Extensions” section in this chapter. or disable it by using the Web service extensions. For more information.5 World Wide Web Service dialog box with list of subcomponents The following table briefly describes the World Wide Web Service subcomponents and provides recommendations for when to enable them. Disable this component when no Web sites or applications that run on IIS servers include files with . Table 9. Provides support for dynamic content that is provided through files with .168 Windows Server 2003 Security Guide The subcomponents in the World Wide Web Service dialog box are shown in the following figure: Figure 9.idc extensions. see the following “Enabling Only Essential Web Service Extensions” section in this chapter.idc extensions. For more information.6 Recommended World Wide Web Service Subcomponent Settings Component name in UI Active Server Pages Installation Setting logic option Disabled Provides support for ASP. Disable this component when no Web sites or applications on IIS servers use ASP. Internet Data Connector Disabled .

including the ability to generate dynamic content.0 allow individual Web service extensions to be enabled or disabled. WebDAV extends the HTTP/1. Use IIS Manager instead to provide easier administration and to reduce the attack surface of an IIS server. You should only enable those Web service extensions that are required by the Web sites and applications that run on IIS servers in your environment. and . This component is required on dedicated IIS servers. This feature is not required on dedicated IIS servers. Provides Web services. Enhanced security features in IIS 6. One way to ensure the highest possible compatibility with existing applications is to enable all Web service extensions. Remote Desktop Web Connection Disabled Server – Side Includes Disabled WebDAV Disabled World Wide Web Service Enabled Enabling Only Essential Web Service Extensions Many Web sites and applications that run on IIS servers have extended functionality that goes beyond static pages.1 protocol to allow clients to publish. static. Not required on a dedicated IIS server. Includes Microsoft ActiveX® control and sample pages to host Terminal Services client connections. These extensions include ASP. lock.Chapter 9: The Web Server Role 169 Component name in UI Remote Administration (HTML) Installation Setting logic option Disabled Provides an HTML interface to administer IIS. Provides support for .shtm. and FrontPage Server extensions. and dynamic content to clients. Disable this component on dedicated IIS servers or disable it by using the Web service extensions. Dynamic content capabilities can be enabled through the Web Service Extensions node in IIS Manager.stm files. Disable this component when no Web sites or applications that run on IIS server use include files with these extensions. UNCLASSIFIED . but this method also creates a security risk because it increases the attack surface of IIS. see the following “Enabling Only Essential Web Service Extensions” section in this chapter. This approach will minimize server functionality and reduce the attack surface of each IIS server. SSI. and manage resources on the Web. WebDAV.shtml. Use IIS Manager instead to provide easier administration and to reduce the attack surface of an IIS server. For more information. To reduce the attack surface of IIS servers as much as possible. Any dynamic content that is served or extended through features that are provided by an IIS server is accomplished through Web service extensions. As stated earlier. IIS servers will transmit only static content after a new installation.NET. only necessary Web service extensions are enabled on IIS servers in the three environments that are defined in this guide. .

If the Web site content is on a separate disk volume.idx files). permissions on the Cmd. In the three environments that are defined in this guide.exe file exists in the <systemroot>\System32 folder.NET v1.exe in an attempt to invoke the command prompt. WebDAV support is required on IIS servers for clients to transparently publish and manage Web resources. and there are currently no known methods to access commands on a different drive with this type of attack. One or more Web sites that run on IIS servers use FrontPage Extensions. One or more Web sites and applications that run on IIS servers contain ASP. a navigation bar. a page header or footer) into different Web pages. a directory traversal attack of this type would not work for two reasons. One or more Web sites and applications that run on IIS servers use IDC to display database information (this content includes . This approach helps prevent directory traversal attacks in which an attacker sends requests for a file that is located outside the directory structure of an IIS server.170 Windows Server 2003 Security Guide The following table lists predefined Web service extensions. For example. One or more Web sites that run on IIS servers use SSI directives to instruct IIS servers to insert reusable content (for example.7 Enabling Web Service Extensions Web service extension Active Server Pages ASP. . all files and folders that make up Web sites and applications are placed on dedicated disk volumes that are separate from the operating system. Second.. Table 9.1. First. the Cmd. An attacker could make a request to the following location: . FrontPage Server Extensions 2002 Internet Data Connector (IDC) Server Side Includes (SSI) Web Distributed Authoring and Versioning (WebDav) Placing Content on a Dedicated Disk Volume IIS stores files for its default Web site in the <systemroot>\inetpub\wwwroot folder (where <systemroot> is the drive on which the Windows Server 2003 operating system is installed). One or more Web sites and applications that run on IIS servers contain unknown ISAPI extension content.. One or more Web sites and applications that run on IIS servers contain unknown CGI extension content.exe file would not exist on the same disk volume as the Web root.4322 All Unknown CGI Extensions All Unknown ISAPI Extensions Enable extension when One or more Web sites and applications that run on IIS servers contain ASP content.\Windows\system\cmd.NET content.exe file have been reset as part of the base build of Windows Server 2003 with SP1 that restricts access to a much more limited group of users.\. and provides details on when to enable each extension. the Cmd.idc and .

not instead of Web permissions. .shtml) Everyone (execute) Administrators (full control) System (full control) Static content (. Web site permissions affect all users who access the Web site or application. .pl) Recommended NTFS permissions Everyone (execute) Administrators (full control) System (full control) Script files (. such as script source access or directory browsing. . You should explicitly deny access to anonymous accounts on Web sites and applications for which anonymous access is not desired.html) Everyone (read-only) Administrators (full control) System (full control) Setting IIS Web Site Permissions IIS examines Web site permissions to determine the types of action that can occur within a Web site. You should assign Web UNCLASSIFIED . Setting NTFS Permissions Computers that run Windows Server 2003 with SP1 examine NTFS file system permissions to determine the types of access a user or a process has on a specific file or folder. the Guests group. . .Chapter 9: The Web Server Role 171 In addition to the security-related benefits. dedicated physical drive can help reduce disk contention on the system volume and improve overall disk access performance. . . administration tasks such as backup and restore are easier when Web site and application files and folders are placed on a dedicated disk volume. You should assign NTFS permissions to allow or deny access to specific users for Web sites on IIS servers in the three environments that are defined in this guide. Also.exe. The different file types can be grouped in separate folders to simplify the application of NTFS permissions. and IIS Anonymous accounts.inc. Anonymous access occurs when a user who has no authenticated credentials accesses network resources.asp) Everyone (execute) Administrators (full control) System (full control) Include files (. If Web permissions conflict with NTFS permissions for a directory or file. the more restrictive settings are applied.jpg. eliminate any write-access permissions to all users except those who are IIS administrators. Also.htm. Anonymous accounts include the built-in Guest account. The following table provides some recommendations about the NTFS permissions that should be applied to the different file types on an IIS server.gif.cmd. .dll. use of a separate.shtm. Table 9. . NTFS permissions affect only the accounts that have been allowed or denied access to the Web site and application content.txt. You should use NTFS permissions in conjunction with Web permissions.8 Recommended NTFS Permissions Settings File type CGI files (.

Script Source Access includes the source code for scripts. This permission is selected by default. identify information bottlenecks. Unlike NTFS permissions.9 IIS 6. The following table lists the Web site permissions that are supported by IIS 6. IIS logs more information than the event logs and performance monitoring features that are provided by the Windows operating system. Allows the Indexing Service to index resources. Allows both scripts and executables to run on the server. and when the information was last viewed.0. If Read is enabled. and can be configured for specific sites. directories. and files. Important: When Script Source Access is enabled. if Write is enabled. which allows searches to be performed on resources. They may also be able to change source code that runs on an IIS server and seriously affect the server's security and performance. this option is not available. Web site permissions can be used in conjunction with NTFS permissions. Users can change content and properties of directories or files. Directory browsing Log visits Index this resource Execute Users can view file lists and collections. Configuring IIS Logging Microsoft recommends that IIS logging be enabled on IIS servers in the three environments that are defined in this guide. Scripts only. Allows only scripts to run on the server. Separate logs can be created for each Web site or application.172 Windows Server 2003 Security Guide site permissions to provide additional security for Web sites on IIS servers in the three environments that are defined in this guide. A log entry is created for each visit to the Web site. Users can access source files. such as a user name and password.0 Web Site Permissions Web site permission Permission granted Read Write Script Source Access Users can view the content and properties of directories or files. users may be able to view sensitive information. The IIS logs can include information such as who has visited a site. or as resources to help investigate attacks. and provides brief explanations of when to assign any given permission to a Web site. Does not allow scripts executables to run on the server. If neither Read nor Write is enabled. Scripts and Executables. then the source can be read. Web site permissions can be applied with the MMC IIS Manager snap-in. what the visitor viewed. . The following options determine the level of script execution for users: • • • None. Table 9. Web site permissions affect everyone who tries to access a Web site that runs on an IIS server. IIS logs can be used to assess content popularity. then the script source code can be changed.

server performance could be negatively affected when log files are written over the network. To limit the size of the logs.com/technet/prodtechnol/ WindowsServer2003/Library/IIS/13a4c0b5-686b-4766-8729-a3402da835f1. This error indicates that the owner of the directory or file is not in the Local Administrators group. For more information about centralized binary logging. which can degrade overall server performance. ensure that the renamed account is specified. you should store logs on a non-system striped or striped/mirrored disk volume. Remote logging allows administrators to set up centralized log file storage and backup." When you add the Administrator account to any user rights. Logs can also be written to a remote share over a network by using a full. IIS logging can be configured to use several other ASCII or Open Database Connectivity (ODBC) log file formats. However. IIS disables the kernel-mode cache.0) page at www. However. Universal Naming Convention (UNC) path. Manually Adding Unique Security Groups to User Rights Assignments Most user rights assignments that are applied through the MSBP have the proper security groups specified in the security templates that accompany this guide.sys file (the kernel-mode driver in IIS 6.mspx. and that logging has been suspended for that site until the owner is added to the Local Administrators group. Also.microsoft. "The Member Server Baseline Policy. User rights assignments that must be configured manually are specified in the following table. Centralized binary logging enables all Web sites on an IIS server to write activity information to a single log file. ODBC logs can store activity information in a SQL database. note that when ODBC logging is enabled. or the existing directory or log file is deleted. IIS uses the W3C Extended Log File Format to create daily activity logs in the directory that is specified for the Web site in IIS Manager. and the exact information to be logged. Do not confuse the Administrator account with the built-in Administrators security group. IIS servers that host hundreds of sites can enable centralized binary logging to improve logging performance. If a log file directory or file owner is not in the Local Administrators group. you may have renamed the built-in Administrator account in accordance with the recommendation in Chapter 4. you will need to log on locally to correct the mistake. there are a few accounts and security groups that cannot be included in the templates because their security identifiers (SIDs) are specific to individual Windows 2003 domains.0) publishes an error to the NT event log. Warning: The following table contains values for the built-in Administrator account. see the IIS Centralized Binary Logging (IIS6.Chapter 9: The Web Server Role 173 The MMC IIS Manager snap-in can be used to configure the log file format. When IIS logs are stored on IIS servers. the log schedule. you should use a careful planning process to determine which fields to log. This method can greatly increase the manageability and scalability of the IIS logging process because it reduces the number of logs that need to be individually stored and analyzed. To improve server performance. the HTTP. However. When IIS logging is enabled. only server administrators have permission to access them by default. UNCLASSIFIED . If you add the Administrators security group to any of the listed deny access user rights.

but does NOT include LOCAL SYSTEM. If the same account names and passwords are used on all domains and servers. This setting was not implemented in any of the security templates that are provided with this guide because every organization should choose a unique name for this account. LOCAL SERVICE or the NETWORK SERVICE accounts (the built-in accounts that the operating system uses). Therefore. However. Two of the most well-known built-in accounts in Windows Server 2003 are Guest and Administrator. computer account. Built-in Administrator.174 Windows Server 2003 Security Guide Table 9. This configuration should not be changed. A SID is the value that uniquely identifies each user. Change the account descriptions to something other than the defaults to help prevent easy identification of the accounts. It is not possible to change the SID of this built-in account. . Record any changes you make in a secure location. all NONGuest. all NONOperating System Operating System Operating System service accounts service accounts service accounts Important: “All non-operating system service accounts” includes service accounts that are used for specific applications across an enterprise. Use different names and passwords on each server. group. Support_388945a0. an attacker who gains access to one member server will be able to gain access to all others. However. you can configure the Accounts: Rename administrator account setting to rename administrator accounts in the three environments that are defined in this guide. Support_388945a0. the Guest account is disabled on member servers and domain controllers. This policy setting is a part of the Security Options settings of a GPO. Securing Well-Known Accounts Windows Server 2003 has a number of built-in user accounts that cannot be deleted but can be renamed. • • Note: You can rename the built-in administrator account through Group Policy. By default.10 Manually Added User Rights Assignments Member server default Deny access to this computer from the network Legacy Client Enterprise Client Specialized Security – Limited Functionality Built-in Built-in Administrator. To secure well known accounts on IIS servers • • Rename the Administrator and Guest accounts. and logon session on a network. Support_388945a0. Many variations of malicious code use the built-in Administrator account in an initial attempt to compromise a server. Administrator. you should rename the built-in Administrator account and alter its description to help prevent compromise of remote servers by attackers who try to use this well-known account. all NONGuest. your operations groups can easily monitor attempted attacks against this Administrator account if you rename it with a unique name. and change their passwords to long and complex values on every domain and server. Guest. The value of this configuration change has diminished over the past few years since the release of attack tools that specify the security identifier (SID) of the built-in Administrator account to determine its true name and then break into the server.

you may wish to configure this policy setting to Disable.Chapter 9: The Web Server Role 175 Securing Service Accounts Never configure a service to run under the security context of a domain account unless it is unavoidable. Ensure that the detected server roles are appropriate for your environment—for example the Application server and Web server roles. domain account passwords could be easily obtained by dumping LSA secrets. 4. For more information about how to secure service accounts. 9. and point it to the reference computer. Creating the Policy Using SCW To deploy the necessary security settings. such as backup agents or antivirus software. Install and configure only the mandatory applications that will be on every server that shares this role. Add/Remove Windows Components. Install the Security Configuration Wizard component on the computer through Control Panel. be sure to skip the "Registry Settings" and “Audit Policy” sections. To create the IIS server policy 1. Launch the SCW GUI. The new installation is called a reference computer. 3. you must use both the Security Configuration Wizard (SCW) and the security templates that are included with the downloadable version of this guide to create a server policy.microsoft. Ensure that any additional services that are required by your baseline. 5. and then click Next. and antivirus or antispyware utilities. 8. Decide how to handle unspecified services in your environment. 10. see The Services and Service Accounts Security Planning Guide at http://go. 6. If possible. which will apply all security settings from parent OUs. This approach is necessary to ensure that the policy elements that are provided by the templates take precedence over those that would be configured by SCW. If the server is physically compromised. select Create new policy. You should test this configuration before you deploy it to your production network because it may cause problems if your production servers run additional services that are not duplicated on your reference computer. The appropriate ports and applications identified earlier are configured as exceptions for Windows Firewall. Ensure that the detected administrative options are appropriate for your environment. When you create your own policy. are detected. software and management agents. Examples include role-specific services. Ensure that the detected client features are appropriate for your environment. you should use on hardware that is similar to the hardware that is used in your deployment to help ensure as much compatibility as possible. Add/Remove Programs. 7. 11. tape backup agents. These settings are provided by the security templates for your chosen environment. UNCLASSIFIED . Create a new installation of Windows Server 2003 with SP1 on a new reference computer.com/fwlink/?LinkId=41311. Ensure the Skip this section checkbox is unchecked in the "Network Security" section. You should use a new installation of the operating system to begin your configuration work. which helps ensure that there are no legacy settings or software from previous configurations. For extra security. 2. Join the computer to the domain.

xml> /g:<GPODisplayName> and then press ENTER. Test the Policy Using SCW After you create and save the policy. Include the appropriate security template (for example. EC-IIS Server. Convert and Deploy the Policy After you thoroughly test the policy. you should begin to verify the core functionality of the computer. if the server is configured as a certification authority (CA). The native deployment method allows you to easily roll back deployed policies from within SCW. and NNTP.mspx and the Security Configuration Wizard Documentation at http://go. The policy is tested to ensure that the application of this policy to the target servers will not adversely affect their critical functions. For example: scwcmd transform /p:"C:\Windows\Security\msscw\Policies\IIS Server. After you apply the configuration changes. ensure that clients can request and obtain certificates.176 Windows Server 2003 Security Guide 12. In the "Audit Policy" section. complete the following steps to convert it into a GPO and deploy it: 1. see the Deployment Guide for the Security Configuration Wizard at http://technet2.microsoft. For example. including FTP. click the Skip this section checkbox and then click Next. This capability can be very useful when you make multiple changes to your policies during the test process. Microsoft strongly recommends that you deploy it to your test environment. When you are confident in your policy configurations. Note: The MSBP disables several other IIS-related services. you can use Scwcmd as shown in the following procedure to convert the policies to GPOs. You can use the native SCW deployment facilities. click the Skip this section checkbox and then click Next. 14. download a certificate revocation list. When you start to author your policies. 13. This approach will allow you to find and fix potential problems. your test servers will have the same hardware and software configuration as your production servers. type the following command: scwcmd transform /p:<PathToPolicy. such as the presence of unexpected services that are required by specific hardware devices. or deploy the policies through a GPO. SMTP. At the command prompt.com/fwlink/?linkid=43450. You can use SCW to push a policy to a single server at a time. and so on. These policy settings are imported from the supplied INF file.inf). Save the policy with an appropriate name (for example. 15.microsoft.xml" /g:"IIS Policy" Note: The information to be entered at the command prompt shows on more than one line here because of display limitations.xml). Two options are available to test the policy. . or use Scwcmd to push the policy to a group of servers.com/WindowsServer/en/Library/5254f8cd-143e-4559-a2999c723b3669461033. This information should all be entered on one line. you should consider using the native SCW deployment facilities. For more details about how to test SCW policies. In the "Registry Settings" section. These policy settings are imported from the supplied INF file. The Web Server policy must be modified if any of these services are to be enabled on IIS servers in any of the three environments that are defined in this guide. IIS Server. Ideally.

0) page at www. For these settings. For information about centralized binary logging.com/WindowsServer2003/iis/default. • • • • • • UNCLASSIFIED . see the Centralized Binary Logging in IIS 6.com/technet/prodtechnol/ WindowsServer2003/Library/IIS/b9cdc076-403d-463e-9a36-5a14811d34c7. • For information about how to enable logging in IIS. For information about remote logging. For information about how to log site activity.mspx. see the Internet Information Services page at www. Windows Firewall must be active on the local computer for this procedure to complete successfully.0. To complete this procedure.com/technet/prodtechnol/WindowsServer2003/Library/ IIS/ab7e4070-e185-4110-b2b1-1bcac4b168e0.mspx.mspx. To verify that Windows Firewall is active. For information about extended logging. Additional information about logging is available on the Enable Logging (IIS 6. see the Customizing W3C Extended Logging (IIS 6.0) page on Microsoft. see the Remote Logging (IIS 6.0) page at www. open Control Panel and then double-click Windows Firewall. GPOs can be linked to the appropriate organizational units (OUs) that contain the IIS servers to provide additional security.com/technet/prodtechnol/WindowsServer2003/Library/ IIS/96af216b-e2c0-428e-9880-95cbd85d90a1.mspx. manual configuration details were provided. confirm that the appropriate settings were made and that functionality is not affected.0 (IIS 6.com/technet/prodtechnol/WindowsServer2003/Library/IIS/ d29207e8-5274-4f4b-9a00-9433b73252d6.0) page at www. More Information The following links provide additional information about topics that relate to hardening IIS–based Web servers that run Windows Server 2003 with SP1. Some of the settings that were discussed cannot be applied through Group Policy. Most of the settings are applied through a Group Policy object (GPO) that was designed to complement the MSBP. For additional information about IIS 6.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/ a6347ae3-39d1-4434-97c9-5756e5862c61. Note that if the SCW security policy file contains Windows Firewall settings. see the Logging Site Activity (IIS 6. Summary This chapter explained the policy settings that can be used to harden IIS servers that run Windows Server 2003 with SP1 in the three environments that are defined in this guide.microsoft.0) page at www.microsoft. see the Microsoft Knowledge Base article "How to enable logging in Internet Information Services (IIS)" at http://support.microsoft.mspx. Use the Group Policy Management Console to link the newly created GPO to the appropriate OU. You should now perform a final test to ensure that the GPO applies the desired settings.microsoft.mspx.microsoft.microsoft.com at www.com/?kbid=313437.Chapter 9: The Web Server Role 177 2.

.

or Windows 2000 domain controllers. “The Member Server UNCLASSIFIED . which is available at http://go. which in turn is used to create a new GPO that is linked to the IAS Servers OU.microsoft. the Request Authenticator. authorization. This template provides the settings for the incremental IAS Server template. see Chapter 4. see Chapter 4. including Routing and Remote Access (RRAS). IAS can be used to authenticate users in databases on Windows Server 2003. Some of the settings in this chapter cannot be applied through Group Policy. RFC 2865 notes the potential need to evaluate the threat environment and to determine whether additional security should be used. the DoS attack information specified for the majority of the other server roles in this guide is not included here.com/fwlink/?LinkId=15159. For more information about the MSBP. Audit Policy Audit policy settings for IAS servers in the EC environment are configured through the MSBP. and accounting. The name of the infrastructure server security template for the EC environment is ECInfrastructure Server. Step-by-step instructions are provided in Chapter 2. Note: The setting prescriptions for the IAS server role were tested for the Enterprise Client environment only. Where possible.” For information on all default setting configurations. “The Member Server Baseline Policy. these settings are gathered in an incremental Group Policy template that will be applied to the IAS Servers OU. For this reason. The settings in this chapter are configured and applied through Group Policy. Windows NT® 4. This chapter only discusses those policy settings that vary from the MSBP. A Group Policy object (GPO) that complements the Member Server Baseline Policy (MSBP) can be linked to the appropriate organizational units (OUs) that contain the IAS servers to provide the required security setting changes for this server role.0. see the companion guide.inf. For information about settings in the MSBP. IAS also supports a variety of network access servers (NAS). Threats and Countermeasures: Security Settings in Windows Server 2003 and Windows XP. Detailed information about how to configure these settings manually is provided. and the MD5 hashing algorithm to encrypt the User-Password and other attributes. "Windows Server 2003 Hardening Mechanisms" to help you create the OUs and Group Policies and then import the appropriate security template into each GPO. The RADIUS hiding mechanism uses the RADIUS shared secret. IAS is the Microsoft implementation of a Remote Authentication Dial-in User Service (RADIUS) server and proxy that enables centralized management of user authentication.UNCLASSIFIED Chapter 10: The IAS Server Role Overview This chapter provides recommendations and resources that will help you harden Internet Authentication Service (IAS) servers in your environment that run Microsoft Windows Server 2003 with SP1. such as Tunnel-Password and MS-CHAP-MPPE-Keys.

However. However. This configuration should not be changed. computer account. Therefore." The MSBP settings ensure that appropriate access to IAS servers is uniformly configured across an enterprise. see Chapter 4. “The Member Server Baseline Policy. Event Log The event log settings for IAS servers in the EC environment are also configured through the MSBP. It is not possible to change the SID of this built-in account. see Chapter 4. By default. For more information about the MSBP. see Chapter 4. this section discusses some additional considerations. the built-in Administrator account should be renamed and the description altered to help prevent compromise of remote servers by attackers who try to use this well-known account. your operations groups can easily monitor attempted attacks against this Administrator account if you rename it with a unique name. but can be renamed." The MSBP settings ensure that appropriate access to IAS servers is uniformly configured throughout an organization. . the settings in this section cannot be applied through Group Policy. User Rights Assignments User rights assignments for IAS servers in the EC environment are also configured through the MSBP. The value of this configuration change has diminished over the past few years since the release of attack tools that specify the security identifier (SID) of the built-in Administrator account to determine its true name and then break into the server. For more information about the MSBP. A SID is the value that uniquely identifies each user. Two of the most well known built-in accounts in Windows Server 2003 are Guest and Administrator. the Guest account is disabled on member servers and domain controllers. and logon session on a network. For more information about the MSBP. Many variations of malicious code use the built-in Administrator account in an initial attempt to compromise a server. “The Member Server Baseline Policy." The MSBP settings ensure that all the relevant security audit information is logged on all IAS servers in an organization. Security Options The security options settings for IAS servers in the EC environment are also configured through the MSBP. and must therefore be performed manually on all IAS servers. Securing Well-Known Accounts Windows Server 2003 with SP1 has a number of built-in user accounts that cannot be deleted. “The Member Server Baseline Policy.180 Windows Server 2003 Security Guide Baseline Policy." Additional Security Settings Although the security settings that are applied through the MSBP significantly enhance the security of IAS servers. group.

Join the computer to the domain. Change the account descriptions to something other than the defaults to help prevent easy identification of the accounts. Creating the Policy Using SCW To deploy the necessary security settings. you must use both the Security Configuration Wizard (SCW) and the security templates that are included with the downloadable version of this guide to create a server policy. see The Services and Service Accounts Security Planning Guide at http://go. This policy setting was not implemented in any of the security templates that are provided with this guide because every environment should choose a unique name for this account. • • Note: The built-in Administrator account can be renamed through Group Policy. This role is commonly configured on servers that do not require it and could be considered a security risk.microsoft. which will apply all security settings from parent OUs. This approach is necessary to ensure that the policy elements that are provided by the templates take precedence over those that would be configured by SCW. You should use a new installation of the operating system to begin your configuration work.com/fwlink/?LinkId=41311. For more information about how to secure service accounts. To create the IAS server policy 1. However. Add/Remove Programs. 3. If the server is physically compromised. and change their passwords to long and complex values on every domain and server. the installation should be on hardware that is similar to the hardware that is used in your deployment to help ensure as much compatibility as possible. domain account passwords could be easily obtained by dumping LSA secrets. Use different names and passwords on each server. an attacker who gains access to one member server will be able to gain access to all others. Install the Security Configuration Wizard component on the computer through Control Panel.Chapter 10: The IAS Server Role 181 To secure well-known accounts on IAS servers • • Rename the Administrator and Guest accounts. UNCLASSIFIED . which helps ensure that there are no legacy settings or software from previous configurations. When you create your own policy. Create a new installation of Windows Server 2003 with SP1 on a new reference computer. During the server policy creation steps you will probably remove the File server role from the list of detected roles. Record any changes that you make in a secure location. 2. Add/Remove Windows Components. you can apply a second policy later in this process. These settings are provided by the security templates for your chosen environment. be sure to skip the "Registry Settings" and “Audit Policy” sections. the Accounts: Rename administrator account setting can be configured to rename administrator accounts in the EC environment. The new installation is called a reference computer. If possible. If the same account names and passwords are used on all domains and servers. To enable the File server role for servers that require it. Securing Service Accounts Never configure a service to run under the security context of a domain account unless it is unavoidable. This policy setting is a part of the Security Options settings section of a GPO.

In the "Audit Policy" section. Test the Policy Using SCW After you create and save the policy. ensure that clients can request and obtain certificates. EC-IAS Server. This capability can be very useful when you make multiple changes to your policies during the test process. 10. Include the appropriate security template (for example. 5. These policy settings are imported from the supplied INF file. Ensure that the detected server roles are appropriate for your environment. For example. you should consider using the native SCW deployment facilities. Decide how to handle unspecified services in your environment. are detected. IAS Server. . or use Scwcmd to push the policy to a group of servers. for example the IAS server (RADIUS) role. Ensure that any additional services that are required by your baseline. 12. and antivirus or antispyware utilities. software and management agents. tape backup agents. 9. and so on. The native deployment method allows you to easily roll back deployed policies from within SCW. For extra security. Examples include role-specific services. The appropriate ports and applications identified earlier are configured as exceptions for Windows Firewall. your test servers will have the same hardware and software configuration as your production servers. Ensure the Skip this section checkbox is unchecked in the "Network Security" section. such as backup agents or antivirus software. download a certificate revocation list.xml). 14. After you apply the configuration changes. Install and configure only the mandatory applications that will be on every server that shares this role. 7. such as the presence of unexpected services that are required by specific hardware devices. Ensure that the detected client features are appropriate for your environment. click the Skip this section checkbox and then click Next. click the Skip this section checkbox and then click Next. select Create new policy. you should begin to verify the core functionality of the computer. and then click Next. When you are confident in your policy configurations. Microsoft strongly recommends that you deploy it to your test environment.182 Windows Server 2003 Security Guide 4.inf). if the server is configured as a certification authority (CA). 6. Save the policy with an appropriate name (for example. These policy settings are imported from the supplied INF file. 15. This approach will allow you to find and fix potential problems. Ideally. In the "Registry Settings" section. Launch the SCW GUI. You can use SCW to push a policy to a single server at a time. Ensure that the detected administrative options are appropriate for your environment. The policy is tested to ensure that the application of this policy to the target servers will not adversely affect their critical functions. 13. you can use Scwcmd as shown in the following procedure to convert the policies to GPOs. When you start to author your policies. Two options are available to test the policy. and point it to the reference computer. or deploy the policies through a GPO. you may wish to configure this policy setting to Disable. You can use the native SCW deployment facilities. 8. You should test this configuration before you deploy it to your production network because it may cause problems if your production servers run additional services that are not duplicated on your reference computer. 11.

At the command prompt. open Control Panel and then double-click Windows Firewall. You should now perform a final test to ensure that the GPO applies the desired settings. To verify that Windows Firewall is active. Convert and Deploy the Policy After you thoroughly test the policy. type the following command: scwcmd transform /p:<PathToPolicy.Chapter 10: The IAS Server Role 183 For more information about how to test SCW policies. For example: scwcmd transform /p:"C:\Windows\Security\msscw\Policies\IAS Server. Windows Firewall must be active on the local computer for this procedure to complete successfully. The settings were configured and applied through a Group Policy object (GPO) that was designed to complement the MSBP. complete the following steps to convert it into a GPO and deploy it: 1. This information should all be entered on one line. Use the Group Policy Management Console to link the newly created GPO to the appropriate OU. 2.microsoft. UNCLASSIFIED . but they have not been tested or validated.xml> /g:<GPODisplayName> and then press ENTER.mspx and the Security Configuration Wizard Documentation at http://go.com/WindowsServer/en/Library/5254f8cd-143e-4559-a2999c723b3669461033. GPOs can be linked to the appropriate organizational units (OUs) that contain the IAS servers in your organization to provide additional security. Summary This chapter explained the settings that can be used to harden IAS servers that run Windows Server 2003 with SP1 in the Enterprise Client environment that is defined in this guide. These settings may also work in the other environments defined in this guide.xml" /g:"IAS Policy" Note: The information to be entered at the command prompt shows on more than one line here because of display limitations. Note that if the SCW security policy file contains Windows Firewall settings. see the Deployment Guide for the Security Configuration Wizard at http://technet2. To complete this procedure.com/fwlink/?linkid=43450. confirm that the appropriate settings wee made and that functionality is not affected.microsoft.

mspx. For more information about RADIUS. see the RFC memo "RADIUS Accounting" at www. see the Internet Authentication Service page at http://technet2.ietf.microsoft. For more information about IAS and security.184 Windows Server 2003 Security Guide More Information The following links provide additional information about topics that relate to hardening IAS servers that run Windows Server 2003 with SP1.txt.mspx.com/WindowsServer/en/Library/ab4eeeb2-b0aa-4b4a-a9593902b2b3f1af1033. and Windows Server 2003. • For more information about IAS.mspx.microsoft. see the IAS and firewalls page at www.com/WindowsServer/en/Library/d98eb914-258c4f0b-ad04-dc4db9e4ee631033. For information about IAS. firewalls.com/technet/prodtechnol/windowsserver2003/library/ ServerHelp/518e70a9-9e7a-422b-a13f-f3193d4fd215.microsoft.org/rfc/rfc2866. • • • . see the Understanding IAS page at http://technet2.

UNCLASSIFIED

Chapter 11: The Certificate Services Server Role
Overview
This chapter provides guidance that will help you harden servers that run Microsoft® Windows Server™ 2003 with Service Pack 1 (SP1) and Microsoft Certificate Services in your environment. Although this chapter includes all of the information you need to secure these types of servers, it does not provide any details about how to create a secure Certificate Services infrastructure in your environment or how to deploy a certification authority (CA). These topics are discussed in detail in the Windows Server 2003 product documentation. They are also discussed in the Windows Server 2003 Resource Kit and in white papers that are available on the Microsoft Web site. Additional information can be found in a companion guide: Securing Wireless LANs with Certificate Services, which is available at http://go.microsoft.com/fwlink/?LinkId=14843. The settings in this chapter are configured and applied through Group Policy. A Group Policy object (GPO) that complements the Member Server Baseline Policy (MSBP) can be linked to the appropriate organizational units (OUs) that contain the CA servers to provide the required security setting changes for this server role. This chapter only discusses those policy settings that vary from the MSBP. Where possible, these settings are gathered in an incremental Group Policy template that will be applied to the CA Servers OU. Some of the settings in this chapter cannot be applied through Group Policy. Detailed information about how to configure these settings manually is provided. The name of the CA Server security template for the EC environment is EC-CA Server.inf. This is the incremental CA Server template, which is used to create a new GPO that is linked to the CA Servers OU in the appropriate environment. Step-by-step instructions are provided in Chapter 2, "Windows Server 2003 Hardening Mechanisms" to help you create the OUs and Group Policies and then import the appropriate security template into each GPO. For information about settings in the MSBP, see Chapter 4, “The Member Server Baseline Policy.” For information on all default settings, see the companion guide, Threats and Countermeasures: Security Settings in Windows Server 2003 and Windows XP, which is available at http://go.microsoft.com/fwlink/?LinkId=15159.
Note: The policy setting recommendations for the Certificate Services server role were tested for the Enterprise Client environment only. For this reason, the denial of service (DoS) information that was specified for most of the other server roles in this guide is not included in this chapter.

You might install Microsoft Internet Information Services (IIS) on some of the Certificate Services servers in your environment so that these servers can distribute CA certificates and certificate revocation lists (CRLs). IIS is also used to host the Certificate Services server Web enrollment pages, which allow non-Microsoft Windows® clients to enroll certificates. Before you act on the information in this chapter, make sure you understand how to securely install IIS, which is described in Chapter 9, "The Web Server Role" in this
UNCLASSIFIED

186

Windows Server 2003 Security Guide

guide. If you install IIS on your CAs, the security configuration template that was developed for Chapter 9 must be applied to your Certificate Services servers before you configure the prescribed settings that are described in this chapter.
Note: In simplified environments, the issuing CA server can be used to host the Web server, the CA certificate, and the CRL download points. However, you should consider using a separate Web server in your own environment to improve the security of your CAs.

IIS is used to host the certificate server enrollment pages and to distribute CA certificates and CRL download points for non-Windows clients. Microsoft recommends that you not install IIS on the root CA server. If possible, you should not run IIS on your issuing CA and any intermediate CAs in your environment. It is more secure to host the Web download points for CA certificates and CRLs on a different server than the CA server itself. Many certificate users (internal and external) who need to retrieve CRLs or CA chain information should not necessarily be permitted access to the CA. However, you cannot isolate users from the CA if you host the download points on it.

Audit Policy Settings
Audit policy settings for Certificate Services servers in the Enterprise Client environment guide are configured through the MSBP. For more information about the MSBP, see Chapter 4, "The Member Server Baseline Policy." The MSBP settings ensure that all the relevant security audit information is logged on all Certificate Services servers.

User Rights Assignments
User rights assignment settings for Certificate Services servers in the Enterprise Client environment are also configured through the MSBP. For more information about the MSBP, see Chapter 4, "The Member Server Baseline Policy." The MSBP settings ensure that appropriate access to Certificate Services servers is uniformly configured across an enterprise.

Security Options
The Security Options section of Group Policy is used to enable or disable security settings for computers, such as digital signing of data, Administrator and Guest account names, floppy disk drive and CD-ROM drive access, driver installation behavior, and logon prompts. You can configure the security options settings in Windows Server 2003 at the following location within the Group Policy Object Editor: Computer Configuration\Windows Settings\Security Settings\ Local Policies\Security Options The following table includes the recommended security options setting for the Certificate Services server role in the Enterprise Client environment. Detailed information about the setting is provided in the text that follows the table. Table 11.1 Recommended Security Options Settings Setting System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing Enterprise Client Enabled

Chapter 11: The Certificate Services Server Role

187

System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing
This policy setting determines whether the Transport Layer Security/Secure Sockets Layer (TLS/SSL) Security Provider supports only the TLS_RSA_WITH_3DES_EDE_CBC_SHA cipher suite. In effect, support for this cipher suite means that the provider only supports the TLS protocol as a client and a server (if applicable). The TLS/SSL Security Provider uses the following algorithms: • • The Triple Data Encryption Standard (3DES) encryption algorithm for the TLS traffic encryption. The Rivest, Shamir, and Adelman (RSA) public key algorithm for the TLS key exchange and authentication. (RSA is a public-key encryption technology that was developed by RSA Data Security, Inc.) The SHA-1 hashing algorithm for the TLS hashing requirements.

For the Encrypting File System Service (EFS), the TLS/SSL Security Provider supports only the Triple DES encryption algorithm to encrypt file data that is stored in the Windows NTFS file system. By default, in Windows 2000 and Windows XP with no service packs, EFS uses the DESX algorithm to encrypt file data, however in Windows XP SP1 and later, and Windows Server 2003, the default algorithm is Advanced Encryption Standard (AES) using a 256-bit key. If you enable this policy setting, computers that fulfill this server role in your environment will use the most powerful algorithms that are available for digital encryption, hashing, and signing. Use of these algorithms minimizes risk because they limit the ability of an unauthorized user to compromise digitally encrypted or signed data. For these reasons, the System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing setting is configured to Enabled for the Enterprise Client environment.
Note: Client computers that have this policy setting enabled will be unable to communicate through digitally encrypted or signed protocols with servers that do not support these algorithms. Network client computers that do not support these algorithms will not be able to use servers that require the algorithms for network communications. For example, many Apache–based Web servers are not configured to support TLS. If you enable this setting you must also configure Internet Explorer to use TLS. To do so, open the Internet Options dialog box from the Internet Explorer Tools menu, click the Advanced tab on the Internet Options dialog box, scroll towards the bottom of the Settings list, and then click the Use TLS 1.0 checkbox. It is also possible to configure this functionality through Group Policy or with the Internet Explorer Administrators Kit.

Event Log Settings
The event log settings for Certificate Services servers in the Enterprise Client environment are configured through the MSBP. For more information on the MSBP, see Chapter 4, "The Member Server Baseline Policy."

Additional Registry Entries
Additional registry entries were created for the EC-CA Server.inf template file. These entries are not defined within the Administrative Template (.adm) files for the Enterprise
UNCLASSIFIED

188

Windows Server 2003 Security Guide

Client environment as defined in this guide. The .adm files define the system policies and restrictions for the desktop, shell, and security settings for Windows Server 2003 with SP1. The additional registry entries are configured within the security template to automate their implementation. If the Incremental Certificate Services Group Policy for this environment is removed, its settings are not automatically removed and must be manually changed with a registry editing tool such as Regedt32.exe. You can configure the registry entries in Windows Server 2003 at the following location within the Group Policy Object Editor: MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration

Additional Security Settings
The following ACLs are suggested and can be assigned through Group Policy. However, these ACLs are not included in the security templates that are provided with this guide because the path for the database and logs will differ from server to server. For example, your Certificate Servers server could have a C:\, D:\, and E:\ drive. Details about how to manually implement these policy settings are provided in the following section.

File System ACLs
Files that are not protected by access control lists (ACLs) can be easily viewed, changed, or deleted by unauthorized users who can access them locally or over the network. Although ACLs can help protect files, encryption provides much more protection and is a viable option for files that only need to be accessible to a single user. The following table includes the file system ACLs for Windows Server 2003–based Certificate Services servers in the Enterprise Client environment. In this environment, the Certificate Services servers use D:\CertSrv as the certificate database directory and the database logs are stored in the default folder %SystemRoot%\system32\CertLog. It is also possible to move the logs from the system drive to a physically separate mirrored drive, such as E:\CertLog. Security considerations do not require separation of the database and logs onto different physical disk drives, but this configuration is recommended for added protection from disk failures and to improve performance. The Certificate Services default installation folders %SystemRoot%\system32\CertLog and %SystemRoot%\system32\CertSrv have the correct ACLs by default, which are shown in the following table. Table 11.2 File System ACLs ACL path in UI %SystemRoot%\system32\CertLog (propagate to all subfolders) %SystemRoot%\system32\CertSrv (propagate to all subfolders) Enterprise Client Administrators (Full Control) SYSTEM (Full Control) Administrators (Full Control) SYSTEM (Full Control) Users (Read and Execute, List Folder Contents, and Read) D:\CertLog Administrators (Full Control) SYSTEM (Full Control)

Chapter 11: The Certificate Services Server Role 189 ACL path in UI D:\CertSrv Enterprise Client Administrators (Full Control) SYSTEM (Full Control) Users (Read and Execute. and logon session on a network. UNCLASSIFIED . To secure well-known accounts on CA servers • • Rename the Administrator and Guest accounts. The audit entries are configured as shown in the following table: Table 11. It is not possible to change the SID of this built-in account. A SID is the value that uniquely identifies each user. and change their passwords to long and complex values on every domain and server. Many variations of malicious code use the built-in Administrator account in an initial attempt to compromise a server. group. If the same account names and passwords are used on all domains and servers. and Read) Because of the security-sensitive nature of CAs. Therefore. However. By default.3 Certificate Services File and Registry Audit Configuration File path or registry path Audit type Audit setting Everyone (Full Control) Everyone (Modify) Everyone (Modify) Everyone (Modify) %SystemRoot%\system32\CertLog Fail %SystemRoot%\system32\CertSrv Success D:\CertSrv D:\CertLog Success Success These policy settings will audit any type of failure access (read or modify) from any user and also audit any successful modification by any user. The value of this configuration change has diminished over the past few years since the release of attack tools that specify the security identifier (SID) of the built-in Administrator account to determine its true name and then break into the server. computer account. the built-in Administrator account should be renamed and the description altered to help prevent compromise of remote servers by attackers who try to use this well-known account. your operations groups can easily monitor attempted attacks against this Administrator account if you rename it with a unique name. Two of the most well known built-in accounts in Windows Server 2003 are Guest and Administrator. but can be renamed. Use different names and passwords on each server. List Folder Contents. file auditing is enabled on the Certificate Services folders that are listed in the preceding table. the Guest account is disabled on member servers and domain controllers. an attacker who gains access to one member server will be able to gain access to all others. Securing Well-Known Accounts Windows Server 2003 with SP1 has a number of built-in user accounts that cannot be deleted. This configuration should not be changed.

Add/Remove Windows Components. When you create your own policy. Record these changes in a secure location. software and management agents. This policy setting is a part of the Security Options settings of a GPO. The new installation is called a reference computer. These settings are provided by the security templates for your chosen environment. 6. you can configure the Accounts: Rename administrator account setting to rename the Administrator account in the EC environment. Ensure that the detected server roles are appropriate for your environment—for example the Certificate Services role. This approach is necessary to ensure that the policy elements that are provided by the templates take precedence over those that would be configured by SCW.190 Windows Server 2003 Security Guide • • Change the account descriptions to something other than the defaults to help prevent easy identification of the accounts. Note: You can rename the built-in Administrator account through Group Policy. This role is commonly configured on servers that do not require it and could be considered a security risk. 4. However. Install the Security Configuration Wizard component on the computer through Control Panel. To enable the File server role for servers that require it. For more information about how to secure service accounts. 2. Join the computer to the domain.com/fwlink/?LinkId=41311. This policy setting was not implemented in any of the security templates that are provided with this guide because every organization should choose a unique name for this account. you should use hardware that is similar to the hardware that is used in your deployment to help ensure as much compatibility as possible. If the server is physically compromised. which will apply all security settings from parent OUs. and antivirus or antispyware utilities. select Create new policy. Install and configure only the mandatory applications that will be on every server that shares this role. you can apply a second policy later in this process. If possible. Launch the SCW GUI. Securing Service Accounts Never configure a service to run under the security context of a domain account unless it is unavoidable. Creating the Policy Using SCW To deploy the necessary security settings. Add/Remove Programs. which helps ensure that there are no legacy settings or software from previous configurations. tape backup agents. 5. You should use a new installation of the operating system to begin your configuration work.microsoft. and point it to the reference computer. 3. you must use both the Security Configuration Wizard (SCW) and the security templates that are included with the downloadable version of this guide to create a server policy. see The Services and Service Accounts Security Planning Guide at http://go. During the server policy creation steps you will probably remove the File server role from the list of detected roles. . be sure to skip the "Registry Settings" and “Audit Policy” sections. domain account passwords could be easily obtained by dumping LSA secrets. Examples include role-specific services. Create a new installation of Windows Server 2003 with SP1 on a new reference computer. To create the Certificate Services server policy 1.

12. You can use the native SCW deployment facilities. you should begin to verify the core functionality of the computer. Ensure the Skip this section checkbox is unchecked in the "Network Security" section. Two options are available to test the policy. 9. 13.xml). you may wish to configure this policy setting to Disable. your test servers will have the same hardware and software configuration as your production servers. you can use Scwcmd as shown in the following procedure to convert the policies to GPOs. This capability can be very useful when you make multiple changes to your policies during the test process. UNCLASSIFIED . You should test this configuration before you deploy it to your production network because it may cause problems if your production servers run additional services that are not duplicated on your reference computer.Chapter 11: The Certificate Services Server Role 191 7. In the "Audit Policy" section. Ensure that any additional services that are required by your baseline. click the Skip this section checkbox and then click Next. Ensure that the detected administrative options are appropriate for your environment.com/WindowsServer/en/Library/5254f8cd-143e-4559-a2999c723b3669461033. ensure that clients can request and obtain certificates.microsoft. For extra security. you should consider using the native SCW deployment facilities. These policy settings are imported from the supplied INF file. These policy settings are imported from the supplied INF file. The appropriate ports and applications identified earlier are configured as exceptions for Windows Firewall. When you start to author your policies. Include the appropriate security template (for example.inf). 8. download a certificate revocation list. Save the policy with an appropriate name (for example. When you are confident in your policy configurations.mspx and the Security Configuration Wizard Documentation at http://go. Ideally. You can use SCW to push a policy to a single server at a time. This approach will allow you to find and fix potential problems. 10.microsoft. In the "Registry Settings" section. 15. The native deployment method allows you to easily roll back deployed policies from within SCW. 11. The policy is tested to ensure that the application of this policy to the target servers will not adversely affect their critical functions. if the server is configured as a certification authority (CA). or deploy the policies through a GPO. For more details about how to test SCW policies. see the Deployment Guide for the Security Configuration Wizard at http://technet2. such as the presence of unexpected services that are required by specific hardware devices. are detected. For example.com/fwlink/?linkid=43450. EC-CA Server. or use Scwcmd to push the policy to a group of servers. and then click Next. Certificate Services. and so on. Decide how to handle unspecified services in your environment. After you apply the configuration changes. Ensure that the detected client features are appropriate for your environment. Microsoft strongly recommends that you deploy it to your test environment. Test the Policy Using SCW After you create and save the policy. 14. click the Skip this section checkbox and then click Next. such as backup agents or antivirus software.

see "PKI Enhancements in Windows XP Professional and Windows Server 2003" at www.mspx. GPOs can be linked to the appropriate organizational units (OUs) that contain the Certificate Services servers to provide additional security. More Information The following links provide additional information about topics that relate to hardening servers that run Windows Server 2003 with SP1 and Certificate Services. confirm that the appropriate settings were made and that functionality is not affected. 2. see the Public Key Infrastructure page at http://technet2. The settings are configured and applied through a Group Policy object (GPO) that complements the MSBP.xml> /g:<GPODisplayName> and then press ENTER.microsoft. Windows Firewall must be active on the local computer for this procedure to complete successfully. see "An Introduction to the Windows 2000 Public Key Infrastructure" at www. To complete this procedure. For more detailed information about PKI functionality in Windows Server 2003 and Windows XP. Use the Group Policy Management Console to link the newly created GPO to the appropriate OU. • For a good introduction to public key infrastructure (PKI) concepts and the features of Windows 2000 certificate services. To verify that Windows Firewall is active.microsoft. type the following command: scwcmd transform /p:<PathToPolicy. Note that if the SCW security policy file contains Windows Firewall settings. For example: scwcmd transform /p:"C:\Windows\Security\msscw\Policies\Certificate Services. Summary This chapter explained the policy settings that can be used to harden Certificate Services servers that run Windows Server 2003 with SP1 in the Enterprise Client environment as defined in this guide.com/technet/archive/windows2000serv/ evaluate/featfunc/pkiintro.microsoft. complete the following steps to convert it into a GPO and deploy it: 1.xml" /g:"Certificate Services Policy" Note: The information to be entered at the command prompt shows on more than one line here because of display limitations.mspx.192 Windows Server 2003 Security Guide Convert and Deploy the Policy After you thoroughly test the policy. At the command prompt.com/WindowsServer/en/Library/32aacfe8-83af-4676-a45c75483545a9781033.mspx. open Control Panel and then double-click Windows Firewall. You should now perform a final test to ensure that the GPO applies the desired settings. • • . This information should all be entered on one line.com/technet/prodtechnol/winxppro/plan/pkienh. For more background information about key PKI concepts.

1 Bastion Host Server Security Templates Legacy Client SSLF-Bastion Host. You will need to modify the configuration files that are included with the guide to add any additional functionality. Bastion Host Local Policy The server roles that are described earlier in this guide used Group Policy to configure servers. protocols. Bastion hosts are commonly used as Web servers. bastion hosts need to be carefully designed and configured.UNCLASSIFIED Chapter 12: The Bastion Host Role Overview This chapter focuses on how to harden bastion hosts that run Microsoft® Windows Server™ 2003 with Service Pack 1 (SP1) in your environment. which makes them fully exposed to attack. Bastion hosts are secure but publicly accessible computers that are located on the public-facing side of an organization’s perimeter network (also known as DMZ. File Transfer Protocol (FTP) servers. Because they are exposed and not protected by other devices. All unnecessary services. DNS servers." The settings are included in a security template that must be applied to the Bastion Host Local Policy (BHLP) of each bastion host. and then each bastion host is configured to fulfill a specific role.inf . To minimize the possibility of compromise. Table 12. because the more functions that a server provides the greater the likelihood that a security hole will be overlooked. Group Policy cannot be applied to bastion host servers because they are configured as stand-alone hosts that do not belong to an Active Directory® directory service domain. It is easier to secure a single service on a single bastion host than it is to secure multiple services. Bastion hosts are unprotected by a firewall or filtering router. only one level of guidance is prescribed for bastion host servers in the three environments that are defined in this guide. bastion hosts are dedicated to just one of these functions. Simple Mail Transfer Protocol (SMTP) servers. programs. "The Member Server Baseline Policy. The steps that are included in this chapter will help you create an SMTP bastion host. and network interfaces are disabled or removed. demilitarized zone. and screened subnet). The security settings that are described in this chapter are based on the Member Server Baseline Policy (MSBP) for the SSLF environment that is defined in Chapter 4. Organizations that can afford multiple bastion hosts can greatly benefit from this type of network architecture. The following sections of this chapter describe various security settings that will help secure bastion hosts in any environment. Ideally. and Network News Transfer Protocol (NNTP) servers.inf UNCLASSIFIED Specialized Security – Limited Functionality SSLF-Bastion Host. If you use this method to harden bastion hosts you can limit potential methods of attack. Secure bastion hosts are configured very differently from typical hosts.inf Enterprise Client SSLF-Bastion Host.

the IUSR account that is used for anonymous access to IIS is a member of the Guests group by default. and all NON-Operating System service accounts for bastion hosts in the SSLF environment that is defined in this guide. Security Options The BHLP security options settings for bastion hosts are the same as those specified in the SSLF-Member Server Baseline. Guest. This policy setting overrides the Access this computer from the network setting when a user account is subject to both policies. you need to add them manually to the BHLP. Support_388945a0. NetBIOS. Built-in Administrator. In Chapter 4. all NON-Operating System service accounts Deny access to this computer from the network Note: ANONOYMOUS LOGON. and Component Object Model Plus (COM+). you could limit the ability of users to perform delegated administrative tasks in your environment. "The Member Server Baseline Policy.2 Recommended User Rights Assignments Setting User Rights assignment Deny access to this computer from the network Setting ANONOYMOUS LOGON. If you configure this user right for other groups. Common Internet File System (CIFS). It denies a number of network protocols. This policy setting determines which users cannot access a computer over the network.inf file in Chapter 4. including server message block (SMB)-based protocols.194 Windows Server 2003 Security Guide Audit Policy Settings The BHLP Audit policy settings for bastion hosts are included in the SSLF-Bastion Host. Guest. These policy settings are based on those that are specified in the SSLF-Member Server Baseline. These settings are the same as those specified in the SSLF-Member Server Baseline. Detailed information is provided in the text that follows the table. see Chapter 4. HTTP. User Rights Assignments The SSLF-Bastion Host. Built-in Administrator." The information in the following table summarizes the differences between the BHLP and the MSBP. and all NONoperating system service accounts are not included in the security template." The BHLP settings ensure that all relevant security audit information is logged on all bastion host servers. Guest. Table 12. However. The Deny access to this computer from the network setting is configured to include ANONOYMOUS LOGON. Support_388945a0. "The Member Server Baseline .inf file includes the BHLP user rights assignments for bastion hosts. Therefore.inf file in Chapter 4. Support_388945a0. These accounts and groups have unique security identifier (SIDs). For more information about the MSBP. Built-in Administrator. "The Member Server Baseline Policy.inf file. "The Member Server Baseline Policy." this guide recommends that you include the Guests group in the list of users and groups that are assigned this user right to provide the highest possible level of security possible.inf file.

LOCAL SERVICE or the NETWORK SERVICE accounts (the built-in accounts that the operating system uses). Guest. If the Administrators security group is added to the specified “Deny access” user right you will need to log on locally in order to correct the mistake. all NONOperating System Operating System Operating System service accounts service accounts service accounts Important: “All non-operating system service accounts“ includes service accounts that are used for specific applications across an enterprise." These BHLP settings ensure that all relevant security options are uniformly configured on all bastion host servers. Event Log Settings The BHLP event log settings for bastion hosts are the same as those specified in the SSLF-Member Server Baseline. This account is not to be confused with the built-in Administrators security group. there are a few accounts and security groups that cannot be included in the templates because their security identifiers (SIDs) are specific to individual Windows Server 2003 domains. However. Additional Security Settings The security settings that the BHLP applies significantly enhance the security of bastion host servers. "The Member Server Baseline Policy. and must therefore be completed manually on all bastion host servers.inf file in Chapter 4. Warning: The following table contains values for the built-in Administrator account.3 Manually Added User Rights Assignments Setting Deny access to this computer from the network Legacy Client Enterprise Client Specialized Security – Limited Functionality Built-in Built-in Built-in Administrator. Table 12. all NONGuest. However. the built-in Administrator account may have been renamed. Support_388945a0. but does NOT include LOCAL SYSTEM. UNCLASSIFIED . Administrator. ensure that you specify the renamed account. all NONGuest. as recommended in Chapter 4. Administrator. there are a few additional settings that should be considered. Support_388945a0. These settings cannot be applied through local policy.Chapter 12: The Bastion Host Role 195 Policy. Support_388945a0. Manually Adding Unique Security Groups to User Rights Assignments Most user rights assignments that are applied through the MSBP have the proper security groups specified in the security templates that accompany this guide." These BHLP settings ensure that all relevant event log settings are uniformly configured on all bastion host servers. The user rights assignment setting in the following table must be configured manually. "The Member Server Baseline Policy. Also." When you add the Administrator account to a user right.

It is not possible to change the SID of this built-in account. computer account.4 Recommended Error Reporting Settings Setting Turn off Windows Error Reporting Legacy Client Enabled Enterprise Client Enabled Specialized Security – Limited Functionality Enabled This service helps Microsoft track and address errors. However. Many variations of malicious code use the built-in Administrator account in an initial attempt to compromise a server. the Microsoft privacy policy with regard to error reporting ensures that Microsoft will not use such data improperly. Use different names and passwords on each server. Two of the most well-known built-in accounts in Windows Server 2003 are Guest and Administrator. the data is transmitted in plaintext HTTP. the Guest account is disabled on member servers and domain controllers.196 Windows Server 2003 Security Guide Securing Well-Known Accounts Windows Server 2003 with SP1 has a number of built-in user accounts that cannot be deleted but can be renamed. . By default. Change the account descriptions to something other than the defaults to help prevent easy identification of the accounts. Record any changes that you make in a secure location. To secure well known accounts on bastion host servers • • Rename the Administrator and Guest accounts. • • Error Reporting Table 12. group. and then change their passwords to long and complex values on every server. your operations groups can easily monitor attempted attacks against this Administrator account if you rename it with a unique name. A SID is the value that uniquely identifies each user. Windows component errors. It is only available in Windows XP Professional and Windows Server 2003. However. If the same account names and passwords are used on all servers. The Turn off Windows Error Reporting setting controls whether the Error Reporting service transmits any data. an attacker who gains access to one server will be able to gain access to all others. you should rename the built-in Administrator account and alter its description to help prevent compromise of remote servers by attackers who try to use this well-known account. Although error reports can potentially contain sensitive or even confidential data. or program errors. which could be intercepted on the Internet and viewed by third parties. This configuration should not be changed. Therefore. The Error Reporting service can report such errors to Microsoft through the Internet or to an internal file share. You can configure this service to generate reports for operating system errors. and logon session on a network. The value of this configuration change has diminished over the past few years since the release of attack tools that specify the security identifier (SID) of the built-in Administrator account to determine its true name and then break into the server.

you must use both the Security Configuration Wizard (SCW) and the security templates that are included with the downloadable version of this guide to create a server policy. Remove all other server roles. For example. Launch the SCW GUI. Create a new installation of Windows Server 2003 with SP1 on a new reference computer. Additional options will increase the manageability of the bastion host. and point it to the reference computer. These settings are provided by the security templates for your chosen environment. you should use hardware that is similar to the hardware that is used in your deployment to help ensure as much compatibility as possible. Carefully weigh the benefits of any options that are not crucial to the proper operation of the bastion host against the potential security risks they might pose. Install and configure only the mandatory applications that will be on every bastion host. You should use a new installation of the operating system to begin your configuration work. During the server policy creation steps you will probably remove the File server role from the list of detected roles. you should remove the Microsoft networking client and the DHCP client features to reduce the server’s attack surface. Ensure that any additional services that are required by your baseline. Add/Remove Programs. Install the Security Configuration Wizard component on the computer through Control Panel. select Create new policy. Ensure that the detected server roles are appropriate for the bastion host (for example. If possible. Creating the Policy Using SCW To deploy the necessary security settings. you can apply a second policy later in this process. 7. For maximum protection. 6.Chapter 12: The Bastion Host Role 197 You can configure this policy setting in Windows Server 2003 at the following location within the Group Policy Object Editor: Computer Configuration\Administrative Templates\System\Internet Communications Management\Internet Communications settings Configure the Turn off Windows Error Reporting setting to Enabled in the BHLP for all three environments that are defined in this guide. which helps ensure that there are no legacy settings or software from previous configurations. This approach is necessary to ensure that the policy elements that are provided by the templates take precedence over those that would be configured by SCW. 3. such as backup agents or antivirus software. 4. This role is commonly configured on servers that do not require it and could be considered a security risk. To enable the File server role for servers that require it. Add/Remove Windows Components. To create the bastion host policy 1. 2. Ensure that the detected client features are appropriate for your environment. are detected. Web server). remove all administrative options except for Windows Firewall. The new installation is called a reference computer. be sure to skip the "Registry Settings" and “Audit Policy” sections. Examples include antivirus or antispyware utilities. When you create your own policy. but will also increase its attack surface. Remove all unnecessary client features. 8. UNCLASSIFIED . 5.

you must apply the settings with SCW. Windows Firewall must be active on the local computer for this procedure to complete successfully. For extra security. ensure that clients can request and obtain certificates. Note that if the SCW security policy file contains Windows Firewall settings. 2. For example.com/fwlink/?linkid=43450. Test the Policy Using SCW After you create and save the policy. Bastion Host.198 Windows Server 2003 Security Guide 9. Because computers in the bastion host role are not connected to a domain. 10. 13. Select Apply an existing security policy. SSLF-Bastion Host. your test servers will have the same hardware and software configuration as your production servers. Complete the SCW wizard to apply the settings. Save the policy with an appropriate name (for example. if the server is configured as a certification authority (CA). In the "Registry Settings" section. This approach will allow you to find and fix potential problems. Bastion Host. To verify that Windows Firewall is active. complete the following steps to implement it: 1.xml. For example. click the Skip this section checkbox and then click Next. click the Skip this section checkbox and then click Next.xml). Decide how to handle unspecified services in your environment. you should begin to verify the core functionality of the computer. Select the XML file that you created earlier. 11.com/WindowsServer/en/Library/5254f8cd-143e-4559-a2999c723b3669461033. You cannot use Group Policy without a domain. You should test this configuration before you deploy it to your production network because it may cause problems if your production servers run additional services that are not duplicated on your reference computer. 4. Launch the SCW GUI. such as the presence of unexpected services that are required by specific hardware devices. you may wish to configure this policy setting to Disable. open Control Panel and then double-click Windows Firewall. Include the appropriate security template (for example. and so on. 12. After you apply the configuration changes. When you are confident in your policy configurations. These policy settings are imported from the supplied INF file. 14. 3. Uncheck all ports except those that are required for the bastion host function.inf). Implement the Policy After you thoroughly test the policy.microsoft. see the Deployment Guide for the Security Configuration Wizard at http://technet2. you can use Scwcmd as shown in the following procedure to convert the policies to GPOs.microsoft. Ensure the Skip this section checkbox is unselected in the "Network Security" section. In the "Audit Policy" section. The appropriate ports and applications identified earlier are configured as exceptions for Windows Firewall. These policy settings are imported from the supplied INF file. and then click Next. download a certificate revocation list.mspx and the Security Configuration Wizard Documentation at http://go. For more details about how to test SCW policies. . Ideally. Microsoft strongly recommends that you deploy it to your test environment. The policy is tested to ensure that the application of this policy to the target servers will not adversely affect their critical functions.

microsoft.htm.ro/~busaco/teach/docs/intranets/ch16. For additional information about bastion hosts.org/rr/whitepapers/basics/420.org/rfcs/rfc2196. they are exposed to outside attacks.html. see the "Intruder Detection Checklist" by Jay Beale at www. For information about safeguards against intruders. Guidance about how to configure and apply manual settings was also provided. The most secure bastion host servers limit access only to highly trusted accounts. confirm that the appropriate settings were made and that functionality is not affected. open the .org/tech_tips/intruder_detection_checklist.S.faqs. and Brent D.htm. For information about how to troubleshoot the Security Configuration and Analysis Tool.htm.com/essay534. For more information about firewalls and security. see the SANS Info Sec Reading Room article "Hardening Bastion Hosts" at www.uaic.html. Summary Because bastion host servers that run Windows Server 2003 with SP1 are not protected by other devices such as firewalls.pdf file "Firewalls and Virtual Private Networks" by Elizabeth D. Simon Cooper.sans. Zwicky. see the Microsoft Knowledge Base article "Problems After You Import Multiple Templates Into the Security Configuration and Analysis Tool" at http://support. see the U. see the "Site Security Handbook" at www. and enable only those services that are necessary to fully perform their functions.cert. • For more information about building private networks.info.com/?kbid=279125. To complete this procedure. Military About defense in depth page at http://usmilitary.itmweb. For information about the defense-in-depth model. Many of the settings can be applied through local Group Policy. • • • • • • • UNCLASSIFIED . This chapter explained settings and procedures that can be used to harden bastion host servers and make them more secure. For more information about how to harden bastion hosts.com/legacy/compbooks/press/0471348201_09.Chapter 12: The Bastion Host Role 199 You should now perform a final test to ensure that SCW applies the desired settings. Chapman at www. More Information The following links provide additional information about topics that relate to hardening bastion host servers that run Windows Server 2003 with SP1.com/od/glossarytermsd/g/did. see "How Bastion Hosts Work" at http://thor.php.wiley. They must be secured as much as possible to maximize their availability and to minimize the possibility of compromise.pdf. see "Internet Firewalls and Security – A Technology Overview" by Chuck Semeria at www. For information about site security.about.

.

security-related matters should be treated seriously. Now that you have finished this guide. Regardless of your organization's environment. informative. However. and devices that are present in your environment. The reasons for certain choices were explained in terms of the tradeoffs that must be considered when an organization needs to decide whether to implement each of the countermeasures. and provided detailed guidance about how to correct specific vulnerabilities that are commonly found on computers that run Windows Server 2003 with SP1. Windows XP. Most organizations that use the Windows Server 2003 operating system would improve their security if they implemented all of the countermeasures that are discussed in this guide. and reliability of the computers so that you can make informed choices about which countermeasures to implement in your own environment. a properly implemented security strategy can help to improve the availability and performance of your computer systems. Every member of the team that produced this guide hopes that you found the material covered in it useful. and Windows 2000 solutions in a variety of settings. It documented methods for how to plan and design security into your organization's network infrastructure. security that is added to a project as an afterthought can negatively affect usability. When well-designed security becomes a core business requirement and is planned for at the start of every information technology (IT) project. Details were provided about how specific countermeasures may affect the functionality. many organizations still do not sufficiently address security issues because they mistakenly view security as something that restricts their agility and flexibility. these environments may again be quite susceptible to attack. when the next serious vulnerability is discovered. and management flexibility. it is important to understand that the task of securing the servers in a network is not a one time project. Some of this guidance includes material that was collected from consultants and systems engineers who have implemented Windows Server 2003. you should have a clear understanding of how to assess risks that may affect the security of those computers that run Microsoft® Windows Server™ 2003 with SP1 in your organization. it is essential that you monitor a variety of resources to stay current on security issues related to the operating systems. This guide explained how to effectively mitigate security risks for computers that run Windows Server 2003 with SP1 in three distinct environments. stability. This material has helped establish a set of best practices for how to make Windows Server 2003 as secure as possible. Every organization should include security among its highest priorities. However. Finally. but rather an ongoing process that organizations must include in their budgets and schedules. This guide included prescriptive guidance that may be applied to any organization.UNCLASSIFIED Chapter 13: Conclusion Congratulations. You have gained an understanding of how to plan and design security into your network infrastructure wherever possible. However. UNCLASSIFIED . manageability. performance. and easy to understand. applications. For these reasons.

see the Microsoft Operations Framework page at www. see the Trustworthy Computing: Security page at www.mspx. . For more detail about how MOF can assist in your enterprise.mspx.microsoft.com/mscorp/twc/default.com/technet/itsolutions/cits/mo/mof/default.202 Windows Server 2003 Security Guide More Information The following links provide additional information about topics that relate to hardening servers that run Windows Server 2003 with SP1.microsoft. • • For more information about security at Microsoft.

registry settings. so it cannot be used to configure the domain-level policies. and roll back policies. test. This appendix provides an overview of the available Microsoft tools and the formats that security policies may come in. Windows Firewall exceptions. deploy policies. which makes it easy to create secure policies. It includes the ability to remotely profile target computers.UNCLASSIFIED Appendix A: Security Tools and Formats It can be a challenge to create. However. Unlike Group Policy. SCW will automatically manage service settings. it is not integrated with the Active Directory® directory service.0 and has become an integral part of Group Policy. The SCE first appeared as an add-on for Windows NT® 4. you can quickly and easily create prototype policies for multiple server roles that are based on the latest guidance and best practices from Microsoft. and manage a complete set of policy and templates for your organization. deploy. The command-line tool Scwcmd allows SCW and Group Policy to be used together to deploy policies to groups of computers or convert policies to GPOs. and more. Security Tools The following tools are available either with the Windows Server™ 2003 operating system or as free downloads from the Microsoft Web site. The SCE is no longer a separate component and is used in the following Microsoft Management Console (MMC) snap-ins and administrative utilities: • • • • • • MMC Security Configuration and Analysis snap-in MMC Security Templates snap-in Group Policy Editor snap-in (used for the Security Settings portion of the Computer Configuration tree) Local Security Settings tool Domain Controller Security Policy tool Domain Security Policy tool UNCLASSIFIED . Security Configuration Editor The Security Configuration Editor (SCE) tools are used to define security policy templates that can be applied to individual computers or to groups of computers through Active Directory Group Policy. Security Configuration Wizard The Security Configuration Wizard (SCW) was introduced in Windows Server 2003 SP1. With SCW. it does provide a consistent role-based hardening methodology that uses wizards.

import.microsoft. powerful interface to create and edit policies whether they are intended for a stand-alone computer or will be deployed as a GPO. control policy order and inheritance. It can manage both Windows 2000 Server and Windows Server 2003 domains. author. The Group Policy Management Console with Service Pack 1 is available as a free download for all Windows Server 2003 customers at www. and paste GPOs. Scriptable GPO operations.com/downloads/details.0"> element. The GPMC must be run on Windows XP with SP1 or Windows Server 2003 and consists of an MMC snap-in and a set of scriptable interfaces that can be used to manage Group Policy. You can find more information about SCE from Windows Help. Report capabilities for GPO and Resultant Set of Policy (RSoP) data.xml) SCW introduces a new file format that is based on XML. Windows administrators enjoy a consistent. However.204 Windows Server 2003 Security Guide Because all of these tools use the SCE. the snap-in does not offer a consistent. and manage your Group Policies. but can be identified by the <SecurityPolicy Version="1. You can find more information about the MMC Active Directory Users and Computers snap-in from Windows Help. The SCW policy file is actually a complete manifest of several different types of settings: • • System services startup mode Windows Firewall exceptions . copy. restore. The ability to quickly back up. export. Active Directory Users and Computers The MMC Active Directory Users and Computers snap-in provides the primary GUI to create and manage organizational units (OUs) within the domain. The following sections detail the common file formats that are used by Windows Server 2003: SCW Policy (. The GPMC provides: • • • • • A user interface that focuses on Group Policy use and management. You can link GPOs and OUs. Simplified management of Group Policy-related security. integrated way to inventory. Group Policy Management Console The Group Policy Management Console (GPMC) was produced by Microsoft in response to feedback from customers who needed a better way to control Group Policy in a large environment. Security File Formats Security policies can be created and stored in a variety of formats.xml. These XML policy files have no official schema. and launch the Group Policy Object Editor as a separate process to edit GPOs.aspx?FamilyID=0a6d4c24-8cbd-4b35-9272dd3cbfc81887&DisplayLang=en. Native SCW policies are saved with an extension of .

Policy templates can contain one or more sections that define the following types of data: • • • • • • • • • • • • Password policies Lockout policies Kerberos authentication protocol policies Audit policies Event log settings Registry values Service startup modes Service permissions User rights Group membership restrictions Registry permissions File system permissions Policy templates are supported by almost all of the tools that are listed earlier in this appendix. Policy Template (.Appendix A: Security Tools and Formats 205 • • • • • Selected computer roles Selected computer tasks Registry settings Policy settings Audit policies Also. such as system service or registry access control lists (ACLs). and the same template format can be used for both local computer policies and Active Directory Group Policies. You can use a tool such as the GPMC to modify the settings or export the GPO into a policy template. which are followed by one or more attribute/value pairs. GPO backups that are created in this way keep the following information: • • • The GPO's globally unique identifier (GUID) and domain GPO settings The discretionary access control list (DACL) on the GPO UNCLASSIFIED . SCW policies can be linked to one or more policy templates to provide additional functionality that is not native to SCW.inf) Policy templates are text files that follow a standard format for Windows data files: one or more sections that are set off by special square bracket-enclosed keywords. Before they can be used. the templates must be imported by the appropriate tool. These policy files represent computer policies and user policies and are not usually manipulated directly. You can export or back up a GPO from within GPMC to save all the information that is stored inside the GPO to the file system. Group Policy Objects GPOs are policy data that is stored both in Active Directory and as a collection of files within special directories on domain controllers.

or OUs and it will not contain the actual WMI filters or IP security policies. In particular. which can be viewed as HTML from within GPMC Date and time stamp of when the backup was taken User-supplied description of the backup However. .206 Windows Server 2003 Security Guide • • • • • The WMI filter link. this file will not contain link information for sites. this backup does not save any of the data that is external to the GPO. if there is one (but not the filter itself) Links to IP Security policies. if any XML report of the GPO settings. domains.

you may wish to refer to the relevant chapter for an explanation of what the setting does and why it is important. different opinions about security issues should be expected. Which settings to include in this list could be the subject of an extensive debate. Deploy and maintain antispyware software on computers that are used to browse Web sites. Important countermeasures that are not security settings include: • • • • • Keep computers up-to-date on service packs and hotfixes with automated tools for testing and deployment. This appendix highlights those settings. "The Member Server Baseline Policy. Install and configure distributed firewall software or organizational IPsec policies. Deploy and maintain antivirus software. Use a non-administrative account for day-to-day tasks. You should only use an account with administrator privileges to perform tasks that require elevated privileges." UNCLASSIFIED . Because each organization has a distinct environment with unique business requirements." • • • • • • • • • • Enforce Password History Maximum Password Age Minimum Password Length Passwords must meet complexity requirements Store Password Using reversible encryption for all users in the domain Access this computer from the network Act as part of the operating system Allow logon locally Allow Log on through Terminal Services User rights. this list might help you prioritize tasks that relate to hardening computers that run Microsoft® Windows®. it is important to understand that some of them are especially important. Still. or that some of the listed settings do not need to be on the list. which is discussed in Chapter 3. In fact. "The Domain Policy. this topic was discussed at great length by a group of security experts within Microsoft. You may feel that some settings are missing.UNCLASSIFIED Appendix B: Key Settings to Consider Although this guide discussed many security countermeasures and security settings. Key security settings that are available in Microsoft Windows include: • Password policy. which are discussed in Chapter 4.

208 Windows Server 2003 Security Guide • Security options. which are discussed in Chapter 4. ." • Safe DLL Search Mode. which are discussed in Chapter 4. "The Member Server Baseline Policy. "The Member Server Baseline Policy." • • • • • • • • • • • • • • • Accounts: Limit local account use of blank passwords to console logon only Domain Member: Digitally encrypt or sign Secure channel Data (always) Domain Member: Digitally encrypt Secure channel Data (when possible) Domain Member: Digitally sign Secure channel Data (when possible) Domain member: require strong (Windows 2000 or later) session key Network access: Allow anonymous SID/Name translation Network Access: Do not allow anonymous enumeration of SAM accounts Network access: do not allow enumeration of SAM accounts and shares Network Access: Let Everyone permissions apply to anonymous users Network Access: Remotely Accessible Registry Paths Network Access: Restrict Anonymous access to named pipes and shares Network Access: Shares that can be accessed anonymously Network Access: Sharing and Security Model for Local Accounts Network Security: Do not store LAN manager hash value on next password change Network Security: LAN Manager Authentication Level • Additional registry settings.

"The Member Server Baseline Policy. "The File Server Role. "The Print Server Role. "The Infrastructure Server Role." The Bastion Host worksheet contains the Group Policy and SCW service settings that configure the bastion host policies as described in Chapter 12. "The Web Server Role." The CA Server worksheet contains the Group Policy and SCW service settings that configure the Certificate Services server policies as described in Chapter 11." • • • • • • • • UNCLASSIFIED . "The Domain Policy.xls" (included with this guide) documents the policy and service settings for all of the roles and environments that are included in this guide." The Infrastructure Server worksheet contains the Group Policy and SCW service settings that configure the infrastructure server policies as described in Chapter 6. This workbook contains ten worksheets. "The Domain Controller Baseline Policy." The IAS Server worksheet contains the Group Policy and SCW service settings that configure the IAS server policies as described in Chapter 10." The Member Server Baseline worksheet contains the Group Policy and SCW service settings that configure the MSBP as described in Chapter 4. one for each role in the guide: • • The Domain worksheet contains the Group Policy settings that configure the domainlevel policy objects as described in Chapter 3. "The Bastion Host Role." The Domain Controller worksheet contains the Group Policy and SCW service settings that configure the DCBP as described in Chapter 5. "The IAS Server Role." The Print Server worksheet contains the Group Policy and SCW service settings that configure the print server policies as described in Chapter 8.UNCLASSIFIED Appendix C: Security Template Setting Summary The Microsoft® Excel® workbook "Windows Server 2003 Security Guide Settings. "The Certificate Services Server Role." The File Server worksheet contains the Group Policy and SCW service settings that configure the file server policies as described in Chapter 7." The Web Server worksheet contains the Group Policy and SCW service settings that configure the IIS Web server policies as described in Chapter 9.

210 Windows Server 2003 Security Guide Each worksheet contains the following columns: • • • • The H column. The J column. The L column. Computer Configuration appears in column A. Policy Setting Name in User Interface. SSLF. is the recommended value for that setting in the EC environment. additional columns were used to illustrate the hierarchy of objects within the Group Policy Editor. Column I was also inserted to help with readability. The K column. Enterprise Client. is the recommended value for that setting in the SSLF environment. is the name of the setting as it appears in the Windows Server 2003 Group Policy Editor snap-in. For example. . Columns A through G are used to represent one level each of the hierarchy. Legacy Client. To make the spreadsheet easy to read. is the recommended value for that setting in the LC environment. and Security Settings appears in column C.

Tests were performed to verify functionality. EC. Use of the new Security Configuration Wizard (SCW) tool that became available in SP1 and new features such as Windows Firewall. Scope The Windows Server 2003 Security Guide was tested in a lab that simulated three different security environments—Legacy Client (LC). but also to help reduce the amount of resources that are needed by those who use the guidance to build and test their own implementations. Reasons for these changes include: • • • • • Changes caused by the release of SP1 for Windows Server 2003. "Introduction to the Windows Server 2003 Security Guide. The Windows Server 2003 Security Guide was tested in a lab environment to ensure that the guidance works as expected. Test Objectives The Windows Server 2003 Security Guide test team was guided by the following test objectives: • Validate the recommended changes in security settings for the three security levels that are defined in the guide. Ensure that hardened domain member servers are able to successfully perform their role tasks. UNCLASSIFIED . A vulnerability assessment of the test lab environment that was used to secure the Windows Server 2003 Security Guide solution was out of scope for the test team. and Specialized Security – Limited Functionality (SSLF).UNCLASSIFIED Appendix D: Testing the Windows Server 2003 Security Guide Overview The Windows Server 2003 Security Guide is designed to provide proven and repeatable configuration guidance to secure computers that run Microsoft® Windows Server™ 2003 with Service Pack 1 (SP1) in a variety of environments. These environments are described in Chapter 1. The documentation was checked for consistency and all recommended procedures were tested by the Windows Server 2003 Security Guide test team. Enterprise Client (EC). and SSLF environments." Tests were conducted based on the criteria that are described in the following "Test Objectives" section. Internal and external feedback that was received about the previous version of the guide. Ensure that the security settings and configuration changes that are recommended in the guide meet the requirements of the LC.

Three separate but similar networks were developed. Each test network consisted of a Windows Server 2003 with SP1 Active Directory® directory service forest. The client computers in the different networks used Windows XP Professional with SP2 and Windows 2000 Professional with SP4. print.0 workstation with SP6a operating systems. Finally. The LC network also included client computers that ran the Windows 98 SR2 and Windows NT® 4. Test Environment The test lab networks that were developed to test this guide were similar to those that were used in the previous version of the guide. and other computers for application server roles that provided file. the EC and SSLF networks included Microsoft Operations Manager (MOM) 2005 and Systems Management Server (SMS) 2003 to manage and monitor the domain member servers and client computers. the guidance should be repeatable and reliably usable by a Microsoft Certified Systems Engineer (MSCE) with two years of experience. Also. Verify that all prescriptive guidance is clear. WINS and DHCP services. and the Bastion Host (BH) server role was included in the SSLF network.212 Windows Server 2003 Security Guide • • Ensure that communication between the client computers and the domain controllers is not negatively affected. and technically correct. DNS. one for each of the defined environments. and Web services. The EC network also included computers for the Certificate Services and IAS server roles. complete. computers for infrastructure server roles that provided domain controller. These networks also included Microsoft Exchange Server 2003 for e-mail service. .

One site was the main office site with an empty root domain and a child domain that consisted of the previously mentioned server and client computers. UNCLASSIFIED . The second site consisted merely of a single second domain controller of the child domain. the Active Directory forest consisted of two sites.1 Logical diagram of the test lab network for the EC environment To verify replication scenarios between hardened domain controllers.Appendix D: Testing the Windows Server 2003 Security Guide 213 The following diagram shows the test lab network that was developed for the EC environment. Figure D.

During each pass the team strove to stabilize the solution. The test team established a lab that incorporated the three networks that are described in the previous section.214 Windows Server 2003 Security Guide The following diagram shows the test lab network that was developed for the SSLF environment. The "Test Preparation Phase" section describes the steps that were performed to ensure that the lab environment was free of any issues that could cause a misinterpretation of the actual test results after the three environments were hardened through the first two incremental build phases. A quick proof of concept (POC) test pass and then two more robust test cycles were executed. A test cycle was defined as a sequence of the following phases: 1. It is also referred to as the “baseline” state. Security Configuration Build phase • • Manual configuration phase Group Policy configuration phase 2.2 Logical diagram of the test lab network for SSLF environment Testing Methodology This section describes the procedures that were followed to test the Windows Server 2003 Security Guide. . Test Execution phase The details of each phase are provided in the following "Phases in a Test Pass" section. Figure D.

After the previous steps are completed. Create and configure the domain. The manual hardening recommendations that were provided in each chapter were implemented during this phase. Test Preparation Phase This phase set up the baseline configuration to which the solution is applied during the Security Configuration Build phase. Security Configuration Build Phase The objective of this phase was to follow the procedures in the guide to configure the domain. 2. The following steps were performed for each of the three environments—LC. 5. For example. and member servers to a more secure level than the baseline configuration. Check the event logs on the client computers to ensure that there are no errors. 4. Execute basic verification tests for each server role to confirm proper network and application configuration. Ensure that all required applications. CA. 3. verify that the MOM agent is installed on all the servers that will be managed by the MOM server. domain controllers. Check the event log of each member server in the network to ensure that there are no application or system level errors. Network the computers as illustrated in the network diagram and install the appropriate versions of the Windows operating system on all server and client computers. 6. and the two sites. domain controllers. Review each procedure carefully to understand its impact on your network. file. Web and e-mail). Manual Configuration Phase This phase is often the first security build phase. This method ensured that correct security configuration was implemented in the network and validated the accuracy of the test results that were obtained. and SSLF: To complete the test preparation phase 1. Note: Some of these steps may be applicable for your network and some may not. services. join the client computers to the domain. and agents are installed on each domain member. Also. UNCLASSIFIED . DHCP. Any critical issues that were found during the build phase were identified as bugs and resolved in that phase before the test team moved to the test execution phase. Ensure client computer accessibility to the services that are provided by the domain controller and member servers (DNS.Appendix D: Testing the Windows Server 2003 Security Guide 215 Phases in a Test Pass The test pass phases are described in the following subsections. create an image backup of each computer. EC. Join and configure each member server and the management servers. 8. 7. These backup images are used to "roll back" the network to the baseline configuration before a new test pass is started. print.

2. For example. SCW is an attack-surface reduction tool that is used to create the required set of security policies for each of the server roles that are discussed in this guide. The template files are included with the downloadable version of this guide. 3.inf security template. 4. "Windows Server 2003 Hardening Mechanisms" and each individual server role chapter.216 Windows Server 2003 Security Guide To perform the manual configuration phase 1. services. Group Policy Configuration Phase The purpose of this phase is to create and apply the Group Policy objects (GPOs) at the domain and organizational unit (OU) levels. has been renamed. Complete the following steps to secure the domain accounts: a. Use the MMC Active Directory Users and Computers snap-in to create the described OU structure.inf security template for the server role. Create the Domain Policy GPO with the . c. 2. 3. ensure that the MOM agent was installed on all the domain member servers that will be managed by MOM." Service Pack 1 for Windows Server 2003 introduced some new tools and features that caused the Group Policy implementation design to change from its previous version. "Windows Server 2003 Hardening Mechanisms. enable Manual Memory Dumps and Error reporting configuration. Use the Microsoft Management Console (MMC) Computer Management snap-in to perform the prescribed policy setting changes (such as the local administrator account and password) on each member computer. Add any unique security groups or accounts to the user rights settings as described in the chapters. Use the SCW tool to create XML–based security templates for each server role that is described in the guide. Prescriptive steps are described in Chapter 2. When you perform this step. and agents were installed on each domain member in the baseline network. . The availability of SCW caused the following two significant changes for the Group Policy Configuration Phase: • • IPsec filters that were provided with the previous version of this guide were replaced with Windows Firewall port configurations that were created with SCW. Rename the Guest accounts on the host and disable them. and has had its default account description removed. The following steps were repeated for each of the three security environments: To create Group Policy objects 1. Perform all other applicable manual hardening procedures as prescribed in each chapter. Security templates that are included with the guide are to be used in conjunction with SCW to create XML security template files. b. GPOs are applied to the different OUs based on the recommendations in Chapter 2. These templates are then converted to corresponding GPOs using the Scwcmd command-line tool. For example. This step does not require the use of SCW. Ensure that the built-in local Administrator account has a complex password. include the appropriate . Ensure that all required applications. Incorporate any additional recommendations from the guide about how to secure the domain accounts.

Note: If default GPO links are already present or if there are multiple GPOs. Complete the following steps to confirm the successful download of Group Policy from domain controllers to member server computers. execute gpudpate /force at a command prompt on all domain controllers. Important: It is very important to restart the domain controllers after you apply the Domain Controllers Policy GPO. The Group Policy Management Console (GPMC) tool was used to link the GPO with the OU. The Domain Controller Policy GPO was linked last. The following steps were performed to complete the rest of the Security Configuration Build phase: To apply Group Policy objects 1. Use the Group Policy Management Console tool to link the Member Server Baseline Policy GPO to the Member Servers OU.Appendix D: Testing the Windows Server 2003 Security Guide 217 5. Verifying Group Policy Download on the Member Server Computers The previous procedures created GPOs and applied them to OUs to configure the computers in those OUs. To ensure application of the latest Group Policy settings. 5. 4. On the Bastion Host server. use the SCW tool to apply the Bastion Host XML security template on the Local GPO of the server. 6. type rsop.msc. Log on to the member server computer. Link each individual server role GPO to the appropriate server role OU. Repeat step 4 on the Bastion Host server to create the Bastion Host XML security template and then use SCW again to convert and apply it to the Local GPO. UNCLASSIFIED . (You can also perform this step with the MMC Active Directory Users and Computers snap-in. (It is assumed that the member server computers were restarted after the GPO was linked to the OU. At this stage. Run. Link the Domain Controller Policy GPO to the Domain Controller OU. Then restart all the domain controllers one at a time. Repeat step 5 on all of the domain member servers. 2. 6. Use the Scwcmd command-line tool to convert the XML security templates that were created in the previous step to GPOs. If you do not perform this step you may see replication errors in the Directory Service folder or Userenv errors in the Application folder of Event Viewer. 2. all the domain member servers reside in the Computers OU. 8.) 3. Review the error logs to troubleshoot and resolve any failures. The next task (detailed in the following procedure) is to apply each of these GPOs to the respective OUs. Link the Domain Policy GPO to the domain object. Check Event Viewer for any errors. starting with the primary domain controller.) To verify Group Policy download on a member server computer 1. Allow sufficient time for Active Directory to replicate the changes between the sites. compare the settings with the guidance in the chapters to identify any incorrect configurations. you might need to elevate the GPO links in the priority list. and press ENTER. After the GPOs are successfully created. Click Start. These servers are then moved to their respective OUs under the Member Server OU. 7.

The GPO that was applied to the OU should be available in the list. This approach helped the test team to identify potential errors and any variations in functionality for the listed server roles. or system failure events that are caused by processes that were used to harden the domain. The main purpose of these tests was to ensure that domain services (such as authentication. and member servers did not experience any significant loss of functionality. member servers. access rights. 4. Details such as test scenarios. and expected results are also provided. execution steps. which was only available in the EC environment. • • The test team executed the set of test cases that are included in \Windows Server 2003 Security Guide Tools and Templates\Test Tools folder. they were executed before and after the security settings that are described in this guide were implemented. Test Execution Phase This phase executes the test cases that were developed by the test team. name resolution. Types of Tests The test team performed the following types of tests during the test phases to ensure that the secured domain. (The tools and templates are included with the downloadable version of this guide. Right-click Computer Configuration and click Properties. which contain the complete list of test cases that were executed for domain–based as well as stand-alone servers that run Windows Server 2003 with SP1. In the Resultant Set of Policy console. All issues that were found were logged in a database and triaged with members of the development team until they were resolved. Technical inaccuracies between what is documented in the chapters and the physical implementation in the test lab. You may want to refer to the Excel workbooks in the \Windows Server 2003 Security Guide Tools and Templates\Test Tools folder that is included in the download for this guide. In addition to these test cases. to periodically check Event Viewer logs or to verify any specific issues that were discovered in the previous version of the guide. or Bastion Host server. domain controllers. These tests were executed multiple times.) These tests were executed on each of the three separate networks except for those that tested components that were only available in one network—such as Certificate Services. and so on) and application based services (such as File. Lost availability of a service or functionality that is caused by changes to the security configuration of the servers in the network. security. More importantly. expand Console Root and browse to Computer Configuration. More detailed information about the different types of tests that were performed is provided in the next section. and there should be no errors associated with it. domain controllers. The list of GPOs will display in the Computer Configuration Properties panel. . The test execution phase seeks to identify the following: • Any potential application.218 Windows Server 2003 Security Guide 3. Client Side Tests These test cases were executed on the client computers in the network. manual testing was performed at various time—for example.

Appendix D: Testing the Windows Server 2003 Security Guide

219

Print, and Web) are available to the client computers after the network servers are hardened. For the LC environment, these tests ensured that those client computers that run Windows NT 4.0 SP6a and Windows 98 were able to authenticate with the Windows Server 2003 Active Directory domain.

Documentation Build Tests
These tests validate that the statements, procedures, and functions that are documented in the implementation guidance are accurate, unambiguous, and complete. No separate test cases are listed for these tests.

Script Tests
Some of the client test scenarios were scripted in VBScript. These test cases are primarily concerned with proper functionality of Windows XP client computers that use network–based services, such as domain logon, password change, and print server access. The VBScript files for these test cases are available in the \Windows Server 2003 Security Guide Tools and Templates\Test Tools folder that is included in the downloadable version of this guide.

Server Side Tests
These test cases were developed to verify functionality and the effect of the build procedures on Windows Server 2003 with SP1 servers that were secured with the recommendations in this guide. All the server roles that are described in this guide were tested. The additional server roles that were included in the test network, such as Exchange, MOM, and SMS, were also tested.

Pass and Fail Criteria
Before tests were performed, the following criteria were defined to ensure defect prevention and bug resolution: • • All test cases must pass with expected results as described in the individual test case spreadsheets. A test case is considered to have passed if the actual result matched the expected result that is documented for the case. If the actual result does not match the expected result, it was treated as a failed test case, a bug was created, and a severity score was assigned. If a test case failed, it was not assumed that the solution guidance was necessarily defective. For example, misinterpretation of product documentation, incomplete documentation, or inaccurate documentation could cause failures. Each failure was analyzed to discover its cause based on actual results and the results that were described in project documentation. Failures were also escalated to the appropriate owners of the respective Microsoft products.

Release Criteria
The primary release criterion for the Windows Server 2003 Security Guide was related to the severity of bugs that were still open. However, other issues that were not being tracked through bugs were also discussed. The criteria for release are: • • No bugs are open with severity levels 1 and 2. All open bugs are triaged by the leadership team, and their impacts are fully understood.
UNCLASSIFIED

220

Windows Server 2003 Security Guide

• • •

Solution guides are free of comments and revision marks. The solution successfully passes all test cases in the test lab environment. Solution contents have no conflicting statements.

Bug Classification
The bug severity scale is described in the following table. The scale is from 1 to 4, with 1 as the highest severity and 4 as the lowest severity. Table D.1 Bug Severity Classification Severity 1 Most common types – Bug blocked build or further testing. – Bug caused unexpected user accessibility. – Steps defined in the documentation were not clear. – Results or behavior of a function or process contradicts expected results (as documented in functional specification). – Major mismatch between the security template files and the functional specification. – Steps defined in the guide are not clear. – Documented functionality is missing (in this case, test was blocked). – Documentation is missing or inadequate. – Inconsistency between security template files and content in the guide, but security template file is in sync with functional specification. – Documented format issue. – Minor documentation errors and inaccuracies. – Text misspellings. Conditions required – Solution did not work. – User could not begin to use significant parts of the computer or network. – User had access privileges that should not be allowed. – User access was blocked to certain server(s) that should be allowed. – Expected results were not achieved. – Testing cannot proceed without being addressed. – User had no simple workaround to amend the situation. – User could not easily figure out a workaround. – Primary business requirements could not be met by the computer or network.

2

3

– User has a simple workaround to mend situation. – User can easily figure out workaround. – Bug does not cause a bad user experience. – Primary business requirements are still functional. – Clearly not related to this version.

4

– Suggestions. – Future enhancements.

Appendix D: Testing the Windows Server 2003 Security Guide

221

Summary
This appendix enables an organization that uses the Windows Server 2003 Security Guide to understand the procedures and steps that were used to test the implementation of the solution in a test lab environment. The actual experience of the Windows Server 2003 Security Guide test team is captured in this appendix, which includes descriptions of the test environment, types of tests, the release criteria, and bug classification details. All of the test cases that were executed by the test team passed with the expected results. The test team confirmed that the requisite functionality was available after the recommendations from the Windows Server 2003 Security Guide for the defined environments were applied.

UNCLASSIFIED

LLC Stirling Goetz Ian Hellen Jesper Johansson Steve Ryan. 3Sharp. Infosys Technologies Mehul Mediwala. LLC Eric Fitzgerald Devin Ganger. Infosys Technologies Vince Humphreys.Acknowledgments The Microsoft Solutions for Security and Compliance group (MSSC) would like to acknowledge and thank the team that produced the Windows Server 2003 Security Guide. Arizona State University Jose Luis Auricchio Avi Ben-Menahem Program Managers Bomani Siwatu Alison Woolford. V6 Security Inc. Infosys Technologies Paresh Gujar. Volt Information Sciences Gaurav Singh Bora. 3Sharp. and testing of this solution. Content Master Kirk Soluk Reviewers Roger Abell. Volt Information Sciences Ashish Java. Content Master Jon Tobey Steve Wacker. development. Siemens Agency Services Testers Kenon Bliss. The following people were either directly responsible or made a substantial contribution to the writing. Wadeware LLC UNCLASSIFIED . 3Sharp. Authors Mike Danseglio Kurt Dillard José Maldonado Brad Warrender Release Managers Flicka Crandell Karl Seng. Infosys Technologies Content Contributors Liam Colvin. Tony Dowler. Content Master Lynne Perry. S&T Onsite John Cobb. Content Master Rich Benack Shelly Bird Susan Bradley Steve Clark Rob Cooper Duane Crider Karel Dekyvere Christine Duell Eric Fitzgerald Mike Greer Robert Hensing Chad Hilton Andrew Mason Editors Reid Bannecker Wendy Cleary. Volt Information Sciences Kelly McMahon. Infosys Technologies Rob Pike Varun Rastogi. LLC William Dixon.

Configuresoft Shain Wray Jeff Cohen John Dwyer Sean Finnegan Karl Grunwald Joanne Kennedy Karina Larson.Don McGowan James Noyce Joe Porter Joel Scambray Debra Littlejohn Shinder Tom Shinder Steve Smegner Ben Smith Allen Stewart Didier Vandenbroeck Ryan Vatne Jeff Williams Jim Whitney. Volt Information Sciences Chrissy Lewis. . Volt Information Sciences Graham Whiteley Rob Wickham Lori Woehler Jay Zhang Other Contributors Ignacio Avellaneda Ganesh Balakrishnan Tony Bailey Shelly Bird Nathan Buggia Derick Campbell Chase Carpenter At the request of Microsoft. Volt Information Sciences David Visintainer. which were incorporated into the published versions. The Center for Internet Security (CIS) and the United States Department of Commerce National Institute of Standards and Technology (NIST) participated in the final review of these Microsoft documents and provided comments. Siemens Business Services David Mowers Jeff Newfeld Rob Oikawa Vishnu Patankar Peter Meister Keith Proctor Bill Reid Sandeep Sinha Stacy Tsurusaki.

Master your semester with Scribd & The New York Times

Special offer for students: Only $4.99/month.

Master your semester with Scribd & The New York Times

Cancel anytime.